Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-30190 PoC — Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability

Source
https://github.com/b401/Clickstudio-compromised-certificate
Associated Vulnerability
Title:Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability (CVE-2022-30190)
Description:A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. Please see the MSRC Blog Entry for important information about steps you can take to protect your system from this vulnerability.
Description
Repository containing the compromised certificate seen in recent CVE-2022-30190 (Follina) attacks.
Readme
# Compromised clickstudio certificate

__Extracted from__: f3ccf22db2c1060251096fe99464002318baccf598b626f8dbdd5e7fd71fd23f  
__Serial__: 0394517DACDC71187A40001B5CC32DE5  
__Signer Hash__: 79bae9ba9b80cd349ebe9a4165224e816f3b597c


## Certificate information

```
Current PE checksum   : 00014A49
Calculated PE checksum: 00014A49

Signature Index: 0  (Primary Signature)
Message digest algorithm  : SHA1
Current message digest    : 893A44297C46442A76C85D32D3107DAF2F28C096
Calculated message digest : 893A44297C46442A76C85D32D3107DAF2F28C096

Signer's certificate:
	Signer #0:
		Subject: /C=AU/ST=South Australia/L=Adelaide/O=Click Studios (SA) Pty Ltd/CN=Click Studios (SA) Pty Ltd
		Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Code Signing CA
		Serial : 0394517DACDC71187A40001B5CC32DE5
		Certificate expiration date:
			notBefore : Oct 26 00:00:00 2020 GMT
			notAfter : Dec 12 23:59:59 2023 GMT
...
```

## Advanced Hunting query

```
DeviceFileCertificateInfo
| where CertificateSerialNumber == "0394517dacdc71187a40001b5cc32de5"
| join DeviceFileEvents on SHA1
| sort by Timestamp
| project Timestamp, DeviceName, FolderPath, SHA256, InitiatingProcessAccountName
```
File Snapshot

 [4.0K]  /data/pocs/c7d1687232e34def9ff36e82870339039dd21c02
├── [1.8K]  compromised_clickstudio.pem
└── [1.2K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →