漏洞平台

POC详情： 1dbc282e4fb45c2c078defe8053e191e959a5297

来源

https://github.com/sentinelblue/CVE-2022-30190

关联漏洞

标题： Microsoft Windows Support Diagnostic Tool 操作系统命令注入漏洞 (CVE-2022-30190)
描述：Microsoft Windows Support Diagnostic Tool是美国微软（Microsoft）公司的收集信息以发送给 Microsoft 支持的工具。 Microsoft Windows Support Diagnostic Tool (MSDT)存在操作系统命令注入漏洞。以下产品和版本受到影响：Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows

描述

Microsoft Sentinel analytic rule and hunting queries in ASIM for activity of MSDT and CVE-2022-30190.

介绍

# CVE-2022-30190

> On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.
>
> A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

<https://nvd.nist.gov/vuln/detail/CVE-2022-30190>

Visit the [sentinel](/sentinel/) directory for more information regarding hunting and alerts with Microsoft Sentinel.

## Proof-of-Concept

Below are two POC repositories. We can confirm the POC by John Hammond works. It is what we used to validate the alerts by opening a "notepad" window via a Word document.

<https://github.com/JohnHammond/msdt-follina>

<https://github.com/onecloudemoji/CVE-2022-30190>

## Mitigations Guidances

<https://www.sentinelone.com/blog/staying-ahead-of-cve-2022-30190-follina/>

<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>

## References

<https://nvd.nist.gov/vuln/detail/CVE-2022-30190>

<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190>

<https://www.tenable.com/blog/cve-2022-30190-zero-click-zero-day-in-msdt-exploited-in-the-wild#:~:text=CVE-2022-30190%20is%20a%20remote%20code%20execution%20vulnerability%20in,called%20using%20the%20URL%20protocol%20from%20certain%20applications.>

<https://twitter.com/nao_sec/status/1530196847679401984?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1530196847679401984%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.tenable.com%2Fblog%2Fcve-2022-30190-zero-click-zero-day-in-msdt-exploited-in-the-wild>

<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30190>

文件快照


 [4.0K]  /data/pocs/1dbc282e4fb45c2c078defe8053e191e959a5297
├── [1.2K]  LICENSE
├── [1.9K]  README.md
└── [4.0K]  sentinel
    ├── [2.4K]  example_hunting.kql
    ├── [2.6K]  process_create.xml
    ├── [3.3K]  readme.md
    ├── [5.0K]  sentinel_alert.json
    └── [1.8K]  sentinel_alert.yml

1 directory, 7 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。