Zero Day Exploit : CVE-2022-30190 Infrastructure Analysis

There is a new zero day at the time of writing this that can be viewed on this website from the MSRC :

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability – Microsoft Security Response Center

I would also like to credit all the people that have made the deep dives possible like John Hammond where you can see a very detailed overview here : https://youtu.be/dGCOhORNKRk

They say :
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

They advise:
Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system

Workaround Steps:

  1. Run Command Prompt as Administrator.
  2. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename
  3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

That is all good but what they do not say is what platforms are vulnerable and what platforms are not, its just in the category “Windows” so this required an infrastructure assessment…….

If you are running Windows Server platform then as you can see from Server 2016 the key that causes the issue is not there…….

However once you venture into Server 2019 territory, you have a problem, this is the key that causes the issue……

That command key then executes this “%SystemRoot%\system32\msdt.exe” %1″

This means the following OS platforms appear to be affected, as MSDT are more baked into the operating system than that of the previous versions of the OS:

Windows Server 2019
Windows Server 2022
Windows 8
Windows 10
Windows 11

I know for a fact that previous to Server 2019 that MSDT was built into the OS as you can see here, it was just a more basic version of the tool……..