Update: We now have an official blog post from Microsoft:
The workaround to disable the MSDT URL Protocol is now confirmed, and we do have a CVE number for the issue.
It was a long weekend for many European countries, and it's an off-day in the US, but we were aware of a new attack vector for Microsoft Office documents. It started with a tweet from @nao_sec, who reported an interesting Word document. Office documents have been a common way to drop malware into victims’ computers for a while. We have to fight against VBA macros, XLS 4 macros, embedded payload, etc. But the one described here is interesting.
The file is detected by only 17 antivirus engines on VT (sha256:4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784)
When you open the file, nothing is displayed (it seems like a blank document), but, looking at the document specs, you see something interesting: The document contains an external reference pointing to a malicious URL:
This host, www[.]xmlformats[.]com, will be visited when you open the document (and activate the content). The following payload will be fetched:
The interesting part is the windows.location.href. The protocol schema is “ms-msdt:/“ (note the single slash!). What’s this MSDT or “Microsoft Support Diagnostic Tool”? msdt.exe is a tool provided by Microsoft that will collect information to send to Microsoft Support.
Microsoft Office will automatically process the MSDT URL and execute the Powershell payload. The Base64 contains this:
Even if macros are disabled, the protected view feature does its job. However, Kevin Beaumont tested a document converted into an RTF form. It works even when you preview the document in Windows explorer. This vulnerability does not work with all Office versions (at least in Office 2013 and 2016).
While we had a look at the malicious file during the weekend, Didier generated a new payload that will fire a classic calculator as a demonstration of the code execution. He recorded a video of the behavior .
This behavior is really bad. How to detect this? Note that the suspicious scheme ("ms-msdt:/") is not present in the document. It's present in the first stage payload that will be downloaded by Office. Here are some ideas:
1. Check the parent-child relationship: A good idea is to track msdt.exe processes launched from parent processes like word.exe or excel.exe.
2. Delete the 'ms-msdt' scheme from the registry. Didier performed some tests, and it works.
3. Prevent Office from spawning child processes by creating an ASL rule:
4. Of course, train your users not to open suspicious documents.
We will continue to keep an eye on this new attack vector and update this diary. Feel free to share your findings with us.
Xavier Mertens (@xme)
Jun 1st 2022
|Thread locked Subscribe||
Jun 1st 2022
1 month ago