Trouble with the Troubleshooter: A Primer on CVE-2022-30190

okay uh so yeah as you said my name is Grant Shanklin and my talk today is child trouble with the troubleshooter a primer on cve 2022 3019 so again as I mentioned before I am a senior adult Northwest High School and I've been fortunate to get into cyber security at a pretty early age getting experience through the threat Ops R D team at Huntress as well as the penetration testing with the oscp certification so without further Ado kind of what what we're going to cover today in this presentation is starting up what even is a zero day anyone maybe not might be a non-technical person or newer to the industry and then to go over how reverse

engineering a CBE might look like we're going to use the specific zero day and again for Microsoft Word and we're extracted versus engineering and then maybe even have time for a quick demo and to see that in action go for this talk I want everyone to make sure of a solid ground or background on what a zero day and cves are and then get understand the technical details of CBE 2022-30190. I honestly think it's really interesting how it's not too complicated but still you know very impactful zero day and um so the third and then understand how to uncover these details for yourself I hope that by the end of this the next time a zero day kind of hits the scene

you want to go reverse engineering for yourself so yeah what even this is your day so according to the Oxford dictionary the zero day is deriving from or relating to a previously unknown vulnerability and to attack some piece of software in a simple term again this is a new vulnerability uh there's no patches outboard there's no mitigation techniques it's brand new and we use a security industry needed to figure out what what are we going to do uh how are we going to stop this attack and kind of propagate out the internet so I I would bargain many of you already know what a zero day is but if you've never used that term before to make that

connection it's easier to look at a couple examples of zero days the first one is security researchers researcher discover a bug and Java logging Library which abuses and abuses it to gain remote code execution obviously this was the infamous log for Shell attack and it's a very prominent zero day another one was when the zero day being used is when the United States and Israeli cyber groups utilized approximately seven zero days impacting programmable logic controller software which created a deadly cyber weapon dubstuck snap so hopefully those two show you like the implication like these zero days are very important for the security Community again to get under control so the first step in that is reverse engineering here so that's

kind of the front lines of this this section of cyber so cves the last one last kind of piece of background information a cve is common vulnerabilities and exposures and basically this is just a reference model that creates common nomenclature so we all know what vulnerability what zero that we're talking about there are many different observatives out there that get named by almost nearly every security Bend or something different and the cve number is just to identify it but we all know what we're talking about it's the same vulnerability as get what we're talking so yeah let's get on to kind of the technical details where did this vulnerability um it's going to be interchangeably called Molina and CBD

2032 30190 but fooling is a little bit less economical so we'll probably use that for now on so um the late night first set the scene in May of this year when a security research team named NASA posted a Twitter post that mentioned an interesting mailbox submitted from Belarus to virus total and there's some screenshot that looks interesting it again it mentioned it's a maldock which is a malicious document in this case it's the malicious Word document but that doesn't look like a word doc in the screenshot that looks a lot closer to some JavaScript potentially or something of that nature so that's something we'll have to kind of see if we can get to

that point and see if we can yeah see see that from starting at the word doc and get to the point where we're going to see will be the actual exploit that's kind of our first step so if you've never looked inside of or looked at the details of a word doc before it's it's one file under like the dot doc extension right but it's almost like think of it kind of as a zip or an archive and talking it's multiple files compressed into one um and so much so you can think about this way that the ums of futility in Linux works with it we can both unzip the dot doc file extracting all the XML

um follows within it and with that there's a file called word morels document.xml Dot rels and this is a metadata file that contains outside references which seem pretty interesting and that could be the culprit of where this where how this is here it is being exploited um so I think that's a good place to start looking in that file opening it up within vs code we see there are many different references within this there are a lot of links to schemas.openxml formats.org and then one that stands out that's highlighted is to xml4ats.com this is sound kind of similar it might blend in if you're just scrolling through a file right but it actually is untrusted and could contain something

malicious it's an HTML file unlike the other ones so that also catches my eye at the very beginning so that's kind of where this investigation takes the next turn is we need to figure out what's in this space HTML file because this HTML file is being loaded in as an outside reference and being read when the war dock is opened so let's take a look inside this HTML file now and opening it up you see a lot of comments that's interesting the JavaScript Commerce because this is within a script block and but it's still within an HTML file so this is really interesting you know generally the type of what a compressive payload or make it like a lot smaller

why is there a lot of comments that's interesting well we'll come back to that for sure but scrolling all the way down we can see that after nearly 60 lines there is a payload that looks that is what we saw on the Twitter post so we've gotten to the point where the security research team posted about um we know how this how this code is getting onto your box it's you know clouds coming through the word document um but now I need to know what does actually do though but before we get into that if you're playing along a column next time one of these zero days hit the scene and you want to go for yourself three websites

I'd highly recommend that that you can start reversing from is hey if I was total I know many of you probably use that or heard of this before but if you haven't it allows anyone on the internet to be able to submit the files that are suspect and might be malicious to be ran through various antivirus products think of like Microsoft Defender maybe Kaspersky or McAfee there's nearly 100 um antivirus products but from the security research side security researchers are able to download files that have been uploaded to analyze them further which is how this zero day was first detected second one is any dot run which is a cloud platform in which you're run again suspect files and

division project platform for the whole security Community to see what happens and when this file runs like what processes get spawned or is there a network requests that happen and is the system filed gonna get modified and that's where I started with this is I found that any dot run instance for this specific zero day and we're able to go from there and kind of start reverse engineering locally the third one malware Bazaar by abuse.ch a little bit lesser known but I still highly recommend it's basically a collection of a lot of malware so you know for all along we're doing this in a safe environment and you kind of know what's going on you can use this website to get

samples from a trusted Source people you know they're malicious but you can know what you're downloading at least so let's get on to actually reversing like what's going on we see the payload but what does the payload actually do the first thing I catch in my eye when I look at this large payload is I see a at base64 string b64 is a long spring of alpha numeric characters a lot of times padded with one or two equal signs at the end but we haven't used it before it's basically an encoding scheme which takes plain text and turns it into a string that's easy to transmit and it's like a safe and power shell or any other

language so if for example if you have special characters within the plain text base64 could like normalize that and make it so it's able to execute basically so that's interesting we see almost like a directory traversal at the very bottom where there's that continuous string of dot dot slash you know dot dot slash dot slash which is almost like a web owner building typically but this is not obviously not a I mean it uses JavaScript but it doesn't seem like this is a web exploit so that's something interesting when Milo to take a look at also and then the last thing is this is all within a window.location.href which is a link in JavaScript right like this is not you

know some power shelter or something this is a JavaScript link and you expect winds to start off with HTTP colon slash but this uses Ms hyphen msdt colon slash so that could be give us another hint of what's actually going on here which will need to research a little bit further but I like to first split up the payload absent inters add some tabs asking this will not run when it adds has all these you know Extra Spaces and padding within it but it makes it easier to read at this point my goal is like I want to be able to read be able to read through the payload and see what's going on so if

it's one long string that's like 17 lines long that's not very easy for me to read right I'm going to break it up make it a little bit simpler and then also resolving coding obviously these with either for obfuscation purposes or just again to make characters who doesn't like error out like make characters like safe encode them for example a Powershell we using square bracket HR in the code and it was me personally I don't know what Char 58 is so I like to go through you know look those up and then transfer in the specific character that represents to again make it more human readable to us in our reversing process the next thing again base64 is a two-way

function it doesn't just go from plain text to a seamingly random string it goes back to the plain text and now we're now this is getting closer that looks a lot like Powershell we can see this Powershell doing things and is executing code and that's the in the end goal of a lot of these zero days is to give remote code execution which we can see at this point the exploit um however it works is getting to remote code execution which is important to take note of so let's review kind of real quick how do we get to this point the victim first downloads of malicious of the malicious Word file which contains an outside reference to an untrusted URL

hosting an HTML file this HTML file contains a large block of comments the further down there's some JavaScript which sets the window.location which is which is generally where you put like a link to some Ms msdt schema URL again leading to remote code execution I think the easiest point at this point is let's start working up some of these pieces that we still don't understand the first thing is the massive account block like why is that there and this is where there's so much great information and collaboration and infosight Community already and there's a great researcher Bill Deemer copy I believe is how you pronounce his last name but he's actually fantastic Microsoft system internals expert and

has some great resources with actually like him decompiling parts of like Windows and word and a lot of really interesting things and he found in a previous reversing project that there's actually a hard-coded value within word that if the HTML file does not 4096 bytes I won't even get red it just it just gets thrown out so if those comments aren't there that those seemingly like unused just like comment block the Xbox actually breaks immediately so it's really interesting it could be used maybe in detection in the future or um it could help us you know when a reversing in a zero day and income of zero day pops up again so that's one of the common blocks there

was just kind of funny that generally generally don't have hard-coded byte limits and um but apparently we do here and it's just kind of an Easter egg hidden within this um this the next thing is uh I think the secrets behind this actually it's going to lie in what's this schema URL what's this Ms hyphen msdt and a quick Google search leading you to Microsoft docs shows you that these are Microsoft URI schemas which allow you to open apps by clicking on hyperlinks that's exactly what we're seeing here is it's not hyperlinking to a different website but hyperlinking would rather to open up an app that definitely seems like what what this could be using some examples that

you might be more familiar with is like colon or mail to or Ms hyphen call or Ms hyphen chat you might know those Ms hyphen msdt is opening up whatever msdt is which would logically lead us to our next Google search which leads us to the Microsoft support diagnostic tool where this presentation gets its name from the troubleshooter this is the function whenever you you know I'm having issues or issues with my Windows PC you click you know troubleshoot it goes through a slider bar and like returns nothing almost like 99 of the time but there are more things about under the hood than you might think and we see the syntax from the Microsoft docs with this

command and that looks exactly like our payload so this URL is able to pass parameters such as ID and slash param to open up the msdt executable and begin executing code because the zero is actually in in the Microsoft support diagnostic tool because we're able to infuse the parameter function and run our arbitrary Powershell so you can see that here again there's the msdt.exe being launched see or ID Skip and then the parameter which contains a specific kind of like a sub parameters like you column and which then contain our Powershell and obviously this should not be able to be launched from within the word doc and and then lead to invoke expression and our Powershell

so we can't uh just stop there we definitely you know we should see this in action uh full transparents in this part this is not my video this will Source from John Hammond YouTube or Twitter Channel rather but uh there's a payload which uh this payload that is base64 encoded just opened up a dialog box to kind of prove that our code is being executed the base64 is added to the payload that we've been looking at this full presentation served up via Docker and then when the word doc is open lo and behold we'll see the troubleshooter pop up and now our code has been executed there is that payload that we specified so in conclusion back to the goals from

today is getting a background on zero days of cves hopefully by now everyone knows why CVS are really important and we should and why zero days are important and you know next time one you know comes up we'll take a look at it second getting the background on the technical details there's a lot of like interesting nuggets in this exploit in my opinion it's also it's not super complicated like hopefully you know most of us were able to follow along kind of see how it worked and again it wasn't like some crazy like you know digging into like assembly code you know like looking for buffer overflows it's like it's just exploding a feature within

windows that was unknown and um I think that's really interesting and then the third is to uncover these for yourself like hopefully after this presentation the next time you see a zero day up on Twitter you want to just go download it from virus total and start you know poking at it yourself and trying to see where you can get additional resources if you want to look further into the specific zero day uh these are some great resources also use many of these for the presentation we can leave that up if you need to but yeah I think this this point I'm available for questions if there's time or I can stick around afterwards and get

everything answered so thank you