¡¾Îó²îͨ¸æ¡¿Microsoft MSDTí§Òâ´úÂëÖ´ÐÐÎó²î£¨CVE-2022-30190£©

Ðû²¼Ê±¼ä 2022-05-31

0x00 Îó²î¸ÅÊö

CVE   ID

CVE-2022-30190

·¢Ã÷ʱ¼ä

2022-05-30

Àà    ÐÍ

´úÂëÖ´ÐÐ

µÈ    ¼¶

¸ßΣ

Ô¶³ÌʹÓÃ


Ó°Ïì¹æÄ£


¹¥»÷ÖØƯºó

µÍ

Óû§½»»¥

ÊÇ

PoC/EXP

ÒѹûÕæ

ÔÚҰʹÓÃ

ÊÇ

 

0x01 Îó²îÏêÇé

5ÔÂ30ÈÕ£¬£¬£¬£¬Î¢ÈíÐû²¼Ç徲ͨ¸æ£¬£¬£¬£¬Åû¶ÁË Microsoft MSDTÖеÄí§Òâ´úÂëÖ´ÐÐÎó²î£¨CVE-2022-30190£©£¬£¬£¬£¬¸ÃÎó²îµÄCVSSÆÀ·ÖΪ7.8¡£¡£¡£¡£¡£ ¡£ÏÖÔÚ¸ÃÎó²îÒѾ­¹ûÕæÅû¶£¬£¬£¬£¬ÇÒÒѼì²âµ½ÔÚҰʹÓᣡ£¡£¡£¡£ ¡£

MSDT£¨Microsoft Support Diagnostics Tool£¬£¬£¬£¬Î¢ÈíÖ§³ÖÕï¶Ï¹¤¾ß£©ÊÇÒ»ÖÖÊÊÓóÌÐò£¬£¬£¬£¬ÓÃÓÚɨ³ý¹ÊÕϲ¢ÍøÂçÕï¶ÏÊý¾ÝÒÔ¹©×¨ÒµÖ°Ô±ÆÊÎöÏ¢Õù¾öÎÊÌâ¡£¡£¡£¡£¡£ ¡£

´Ó Word µÈŲÓÃÓ¦ÓóÌÐòʹÓà URL ЭÒéŲÓà MSDT ʱ±£´æ´úÂëÖ´ÐÐÎó²î£¬£¬£¬£¬ÀÖ³ÉʹÓøÃÎó²î¿ÉÒÔʹÓÃŲÓÃÓ¦ÓóÌÐòµÄȨÏÞÔËÐÐí§Òâ´úÂ룬£¬£¬£¬²¢ÔÚÓû§È¨ÏÞÔÊÐíµÄ¹æÄ£ÄÚ×°ÖóÌÐò£¬£¬£¬£¬Éó²é¡¢¸ü¸Ä»òɾ³ýÊý¾Ý£¬£¬£¬£¬»ò½¨ÉèÐÂÕË»§¡£¡£¡£¡£¡£ ¡£Îó²î¸´ÏÖÈçÏ£º

image.png

¸ÃÎó²îÊÇÁ¥ÊôÓڰ׶íÂÞ˹µÄIPµØµãÉÏ´«µ½ VirusTotalµÄ¶ñÒâWord ÎĵµÖмì²âµ½µÄ¡£¡£¡£¡£¡£ ¡£¶ñÒâÎļþͨ¹ýʹÓà Word µÄÔ¶³ÌÄ£°å¹¦Ð§´ÓЧÀÍÆ÷»ñÈ¡ HTML Îļþ£¬£¬£¬£¬È»ºóʹÓá°ms-msdt://¡±URI Ö´ÐÐ PowerShell ´úÂë¡£¡£¡£¡£¡£ ¡£×ÝÈ»½ûÓÃÁ˺꣬£¬£¬£¬Microsoft Word Ò²»áͨ¹ý msdtÖ´ÐдúÂë¡£¡£¡£¡£¡£ ¡£±ðµÄ£¬£¬£¬£¬µ±¶ñÒâÎļþÉúÑÄΪRTFÃûÌÃʱ£¬£¬£¬£¬ÉõÖÁÎÞÐè·­¿ªÎļþ£¬£¬£¬£¬Í¨¹ý×ÊÔ´ÖÎÀíÆ÷ÖеÄÔ¤ÀÀÑ¡Ï¼´¿ÉÔÚÄ¿µÄϵͳÉÏÖ´ÐÐí§Òâ´úÂë¡£¡£¡£¡£¡£ ¡£

 

Ó°Ïì¹æÄ£

 Windows Server 2012 R2 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 (Server Core installation)

Windows Server 2012

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows RT 8.1

Windows 8.1 for x64-based systems

Windows 8.1 for 32-bit systems

Windows 7 for x64-based Systems Service Pack 1

Windows 7 for 32-bit Systems Service Pack 1

Windows Server 2016 (Server Core installation)

Windows Server 2016

Windows 10 Version 1607 for x64-based Systems

Windows 10 Version 1607 for 32-bit Systems

Windows 10 for x64-based Systems

Windows 10 for 32-bit Systems

Windows 10 Version 21H2 for x64-based Systems

Windows 10 Version 21H2 for ARM64-based Systems

Windows 10 Version 21H2 for 32-bit Systems

Windows 11 for ARM64-based Systems

Windows 11 for x64-based Systems

Windows Server, version 20H2 (Server Core Installation)

Windows 10 Version 20H2 for ARM64-based Systems

Windows 10 Version 20H2 for 32-bit Systems

Windows 10 Version 20H2 for x64-based Systems

Windows Server 2022 Azure Edition Core Hotpatch

Windows Server 2022 (Server Core installation)

Windows Server 2022

Windows 10 Version 21H1 for 32-bit Systems

Windows 10 Version 21H1 for ARM64-based Systems

Windows 10 Version 21H1 for x64-based Systems

Windows Server 2019 (Server Core installation)

Windows Server 2019

Windows 10 Version 1809 for ARM64-based Systems

Windows 10 Version 1809 for x64-based Systems

Windows 10 Version 1809 for 32-bit Systems

 

0x02 Çå¾²½¨Òé

΢ÈíÇå¾²ÏìÓ¦ÖÐÐÄÒѾ­Ðû²¼ÁË´ËÎó²îµÄÖ¸ÄÏ£¬£¬£¬£¬ÊÜÓ°ÏìÓû§¿ÉÒÔÑ¡Ôñ½ûÓÃMSDT URLЭÒé»òÓ¦Ó÷ǹٷ½²¹¶¡£¡£¡£¡£¡£ ¡£º

½ûÓÃMSDT URLЭÒé

½ûÓà MSDT URL ЭÒé¿É±ÜÃâ¹ÊÕÏɨ³ý³ÌÐò×÷ΪÁ´½ÓÆô¶¯£¬£¬£¬£¬°üÀ¨Õû¸ö²Ù×÷ϵͳµÄÁ´½Ó¡£¡£¡£¡£¡£ ¡£µ«ÈÔÈ»¿ÉÒÔʹÓÃÆäËü·½·¨»á¼û¹ÊÕÏɨ³ý³ÌÐò¡£¡£¡£¡£¡£ ¡£

1.ÒÔÖÎÀíÔ±Éí·ÝÔËÐÐÏÂÁîÌáÐÑ·û¡£¡£¡£¡£¡£ ¡£

2.Òª±¸·Ý×¢²á±íÏ£¬£¬£¬ÇëÖ´ÐÐÏÂÁî¡°reg export HKEY_CLASSES_ROOT\ms-msdt filename¡°¡£¡£¡£¡£¡£ ¡£

3.Ö´ÐÐÏÂÁî¡°reg delete HKEY_CLASSES_ROOT\ms-msdt /f¡±¡£¡£¡£¡£¡£ ¡£

×÷·Ï£º

1.ÒÔÖÎÀíÔ±Éí·ÝÔËÐÐÏÂÁîÌáÐÑ·û¡£¡£¡£¡£¡£ ¡£

2.Òª»Ö¸´±¸·Ý×¢²á±íÏ£¬£¬£¬ÇëÖ´ÐÐÏÂÁî¡°reg import filename¡±¡£¡£¡£¡£¡£ ¡£

±ðµÄ£¬£¬£¬£¬Microsoft Defender ·À²¡¶¾Èí¼þʹÓüì²â°æ±¾1.367.719.0?»ò¸ü¸ß°æ±¾Îª¿ÉÄܵÄÎó²îʹÓÃÌṩ¼ì²âºÍ±£»£»£»£»£»£»¤£»£»£»£»£»£»Microsoft Defender for Endpoint Ϊ¿Í»§Ìṩ¼ì²âºÍ¾¯±¨£»£»£»£»£»£»Microsoft 365 Defender ÃÅ»§ÖеÄÒÔϾ¯±¨ÎÊÌâ¿ÉÒÔָʾÍøÂçÉϵÄÍþв»î¶¯£º

l  Office Ó¦ÓóÌÐòµÄ¿ÉÒÉÐÐΪ

l  Msdt.exe µÄ¿ÉÒÉÐÐΪ

²Î¿¼Á´½Ó£º

https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

 

·Ç¹Ù·½²¹¶¡

0patch ΢²¹¶¡Ð§ÀÍÖ÷ÒªÓÃÓÚÔÚ¹Ù·½ÐÞ¸´¿ÉÓÃ֮ǰ±£»£»£»£»£»£»¤ÏµÍ³¡£¡£¡£¡£¡£ ¡£0patchÒѾ­Õë¶Ô´ËÎó²îΪijЩWindows°æ±¾Ðû²¼ÁËÃâ·ÑµÄ΢²¹¶¡£¬£¬£¬£¬µ«¸Ã²¹¶¡²»»áÍêÈ«½ûÓÃMSDTЭÒé´¦Öóͷ£³ÌÐò£¬£¬£¬£¬¶øÖ»ÊÇÔöÌíÁ˶ÔÓû§ÌṩµÄ·¾¶µÄÕûÀí¡£¡£¡£¡£¡£ ¡£×¢ÖØ£¬£¬£¬£¬ÒªÏÂÔØ´Ë΢²¹¶¡£¬£¬£¬£¬ÐèҪע²á0patchÕÊ»§²¢×°ÖÃ0patch agent¡£¡£¡£¡£¡£ ¡£¸Ã΢²¹¶¡ÊÊÓÃÓÚÒÔÏÂWindows°æ±¾£º

Windows 11 v21H2

Windows 10 v21H2

Windows 10 v21H1

Windows 10 v20H2

Windows 10 v2004

Windows 10 v1909

Windows 10 v1903

Windows 10 v1809

Windows 10 v1803

Windows 7

Windows Server 2008 R2

ÏÂÔØÁ´½Ó£º

https://blog.0patch.com/2022/06/free-micropatches-for-follina-microsoft.html

 

ÆäËü½¨Òé

1.½¨Òé¹Ø±ÕWindows×ÊÔ´ÖÎÀíÆ÷ÖеÄÔ¤ÀÀ´°¸ñ£¬£¬£¬£¬ÒÔÏû³ýËü×÷ΪԤÀÀ¶ñÒâÎļþʱ¿ÉʹÓõĹ¥»÷Ç°ÑÔ¡£¡£¡£¡£¡£ ¡£

2. ÈôÊÇÄúʹÓÃMicrosoft DefenderµÄ Attack Surface Reduction(ASR)¹æÔò£¬£¬£¬£¬Ôò¿ÉÔÚBlockģʽϼ¤»î¡°×èÖ¹ËùÓÐOfficeÓ¦ÓóÌÐò½¨Éè×ÓÀú³Ì¡±¹æÔò¡£¡£¡£¡£¡£ ¡£ÈôÄú»¹Ã»ÓÐʹÓÃASR¹æÔò£¬£¬£¬£¬¿ÉÏÈÔÚAuditģʽÏÂÔËÐйæÔò£¬£¬£¬£¬ÊÓ²ìЧ¹ûÒÔÈ·±£²»»á¶ÔϵͳÔì³Éµ¹ÔËÓ°Ïì¡£¡£¡£¡£¡£ ¡£

×¢ÖØ£ºÑо¿Ö°Ô±½«¼ì²âµ½ÔÚҰʹÓõÄ0 dayÎó²î±êʶΪMicrosoft Office ´úÂëÖ´ÐÐ0 dayÎó²î£¨³ÆΪ¡°Follina¡±£©£¬£¬£¬£¬¸ÃÎó²îÓ°ÏìÁËOffice 2016 ºÍ Office 2021µÈ¡£¡£¡£¡£¡£ ¡£±¾Í¨¸æÖ÷Òª²Î¿¼Î¢Èí¹Ù·½Í¨¸æMicrosoft Windows Ö§³ÖÕï¶Ï¹¤¾ß (MSDT) í§Òâ´úÂëÖ´ÐÐÎó²î¡£¡£¡£¡£¡£ ¡£

 

0x03 ²Î¿¼Á´½Ó

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190

https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e

https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug

https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html

 

0x04 °æ±¾ÐÅÏ¢

°æ±¾

ÈÕÆÚ

ÐÞ¸ÄÄÚÈÝ

V1.0

2022-05-31

Ê×´ÎÐû²¼

V2.0

2022-06-02

ÐÂÔö»º½â²½·¥µÈ

 

0x05 ¸½Â¼

c7c7ÓéÀÖƽ̨¼ò½é

c7c7ÓéÀÖƽ̨¹«Ë¾½¨ÉèÓÚ1996Ä꣬£¬£¬£¬²¢ÓÚ2010Äê6ÔÂ23ÈÕÔÚÉî½»ËùÖÐС°åÕýʽ¹ÒÅÆÉÏÊУ¬£¬£¬£¬ÊǺ£ÄÚ¼«¾ßʵÁ¦µÄ¡¢ÓµÓÐÍêÈ«×ÔÖ÷֪ʶ²úȨµÄÍøÂçÇå¾²²úÆ·¡¢¿ÉÐÅÇå¾²ÖÎÀíƽ̨¡¢Ç徲ЧÀÍÓë½â¾ö¼Æ»®µÄ×ÛºÏÌṩÉÌ¡£¡£¡£¡£¡£ ¡£

¹«Ë¾×ܲ¿Î»ÓÚ±±¾©ÊÐÖйشåÈí¼þÔ°£¬£¬£¬£¬ÔÚÌìϸ÷Ê¡¡¢ÊС¢×ÔÖÎÇøÉèÓзÖÖ§»ú¹¹£¬£¬£¬£¬ÓµÓÐÁýÕÖÌìϵÄÇþµÀϵͳºÍÊÖÒÕÖ§³ÖÖÐÐÄ£¬£¬£¬£¬²¢ÔÚ±±¾©¡¢ÉϺ£¡¢³É¶¼¡¢¹ãÖÝ¡¢³¤É³¡¢º¼ÖݵȶàµØÉèÓÐÑз¢ÖÐÐÄ¡£¡£¡£¡£¡£ ¡£

¶àÄêÀ´£¬£¬£¬£¬c7c7ÓéÀÖƽ̨ÖÂÁ¦ÓÚÌṩ¾ßÓйú¼Ê¾ºÕùÁ¦µÄ×ÔÖ÷Á¢ÒìµÄÇå¾²²úÆ·ºÍ×î¼Ñʵ¼ùЧÀÍ£¬£¬£¬£¬×ÊÖú¿Í»§ÖÜÈ«ÌáÉýÆäIT»ù´¡ÉèÊ©µÄÇå¾²ÐÔºÍÉú²úЧÄÜ£¬£¬£¬£¬Îª´òÔìºÍÌáÉý¹ú¼Ê»¯µÄÃñ×åÐÅÏ¢Çå¾²¹¤ÒµÁì¾üÆ·Åƶø²»Ð¸Æ𾢡£¡£¡£¡£¡£ ¡£


¹ØÓÚc7c7ÓéÀÖƽ̨

c7c7ÓéÀÖƽ̨Çå¾²Ó¦¼±ÏìÓ¦ÖÐÐÄÖ÷ÒªÕë¶ÔÖ÷ÒªÇå¾²Îó²îµÄÔ¤¾¯¡¢¸ú×ٺͷÖÏíÈ«Çò×îеÄÍþвÇ鱨ºÍÇå¾²±¨¸æ¡£¡£¡£¡£¡£ ¡£

¹Ø×¢ÒÔϹ«Öںţ¬£¬£¬£¬»ñÈ¡È«Çò×îÐÂÇå¾²×ÊѶ£º

image.png