Microsoft MSDT Zero-Day (Follina/CVE-2022-30190)

Contents

Introduction Non-Technical Explanation Technical Explanation PoC (For Educational Purposes)Mitigation (Non-Official)References Extra Resources

Introduction

So it all started on 27/5/2022 when a cyber security researcher known as @nao_sec found a malicious Microsoft word file that runs arbitrary PowerShell code

The official tweet👇

Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code.https://t.co/hTdAfHOUx3 pic.twitter.com/rVSb02ZTwt
— nao_sec (@nao_sec) May 27, 2022

It was called Follina by Kevin Beaumont because the spotted sample on the file references 0438, which is the area code of Follina in Italy, later Microsoft assigned CVE-2022-30190 to it

It turns out that Microsoft knew about this vulnerability since April when @CrazymanArmy the leader of the Shadow Chaser Group reported it to Microsoft and this was how Microsoft replied 👇

(Shadow Chaser Group is a sub-group of the GcowSec team which consists of college students who are focused on APT hunt and analysis)

It says pic.twitter.com/Z2AN7nq6hr
— crazyman_army (@CrazymanArmy) May 30, 2022

Non-Technical Explanation

It’s a zero-day remote code execution or an RCE vulnerability in Microsoft Word, you get hacked the moment you view the file.
As of the time of writing this blog, there is no official mitigation

Technical Explanation

The vulnerability is exploited by using the MSProtocol URI system to load a specific code. Attackers can embed malicious links into Microsoft Office documents, templates or emails starting with ms-msdt: they will be uploaded and executed afterward without any user interaction.

Unless the protected view mode is on. However, converting the document to RTF format may also bypass the Protected View feature.

For an in detail analysis i really recommend this blog by John Hammond

PoC (For Educational Purposes)

https://github.com/JohnHammond/msdt-follina

Mitigation (Non-Official)

As of the time of writing this blog, there is no official mitigation

But there are a few temporary things you can do till Microsoft publishes an official patch

Unregister ms-msdt
Disable preview in Windows Explorer
Use Microsoft Defender’s Attack Surface Reduction (ASR) rules
Utilizing Microsoft Defender’s Attack Surface Reduction (ASR) rules (According to huntress)

References

“Follina — a Microsoft Office code execution vulnerability” written by Kevin Beaumont
“Mysterious “Follina” zero-day hole in Office – here’s what to do!” written by Sophos
“Microsoft Office zero-day “Follina”—it’s not a bug, it’s a feature! (It’s a bug)” by Malwarebytes

Extra Resources

by Caleb McMurtrey

Microsoft MSDT Zero-Day (Follina/CVE-2022-30190)

Introduction

Non-Technical Explanation

Technical Explanation

PoC (For Educational Purposes)

Mitigation (Non-Official)

References

Extra Resources

Leave a Reply Cancel reply

About Us

Capture the Flag

Articles & Videos

Introduction

Non-Technical Explanation

Technical Explanation

PoC (For Educational Purposes)

Mitigation (Non-Official)

References

Extra Resources

Sign Up For our Weekly Digest

Receive a weekly digest of everything new on Hacktoria

Leave a Reply Cancel reply