I agree to cookies for making this site function. By using this site, I agree to the Privacy Policy and Terms of Use.
Accept
HACKTORIAHACKTORIA
  • Home
  • Articles
    • CyberSecurity
    • OSINT
    • Networking
    • Programming
    • Software
    • Cloud
    • Crypto & Blockchain
    • Opinion
  • Monthly CTF
    • Challenges
      • The Mona Lisa Heist
      • Operation Mare Nostrum
      • Downtown Murderer
      • Operation Galaxios
      • Operation Brutus
      • Operation Runner
      • Operation Warthog
    • Storyline
      • April 2022 – Operation Galaxios
      • March 2022 – Operation Brutus
      • February 2022 – Operation Runner
      • January 2022 – Operation Warthog
    • Characters
    • Finishers 2022
    • Write-Ups
  • Practice
    • Fact Checking
      • Fact Checking 10
      • Fact Checking 9
      • Fact Checking 8
      • Fact Checking 7
      • Fact Checking 6
      • Fact Checking 5
      • Fact Checking 4
      • Fact Checking 3
      • Fact Checking 2
      • Fact Checking 1
    • Geolocation
      • Geolocation 32
      • Geolocation 31
      • Geolocation 30
      • Geolocation 29
      • Geolocation 28
      • Geolocation 27
      • Geolocation 26
      • Geolocation 25
      • Geolocation 24
      • Geolocation 23
      • Geolocation 22
      • Geolocation 21
      • Geolocation 20
      • Geolocation 19
      • Geolocation 18
      • Geolocation 17
      • Geolocation 16
      • Geolocation 15
      • Geolocation 14
      • Geolocation 13
      • Geolocation 12
      • Geolocation 11
      • Geolocation 10
      • Geolocation 9
      • Geolocation 8
      • Geolocation 7
      • Geolocation 6
      • Geolocation 5
      • Geolocation 4
      • Geolocation 3
      • Geolocation 2
      • Geolocation 1
    • Image Analysis
      • Image Analysis 16
      • Image Analysis 15
      • Image Analysis 14
      • Image Analysis 13
      • Image Analysis 12
      • Image Analysis 11
      • Image Analysis 10
      • Image Analysis 9
      • Image Analysis 8
      • Image Analysis 7
      • Image Analysis 6
      • Image Analysis 5
      • Image Analysis 4
      • Image Analysis 3
      • Image Analysis 2
      • Image Analysis 1
  • Videos
  • Art
  • About
    • Frank
    • Noureldin
    • Maria
    • Roxanna
    • Dipti
    • Joy
    • Oriana
    • Simone
    • Rudraksh
    • Amogh
    • Tony
Reading: Microsoft MSDT Zero-Day (Follina/CVE-2022-30190)
Share
Aa
HACKTORIAHACKTORIA
Aa
Search
  • Home
  • Articles
    • CyberSecurity
    • OSINT
    • Networking
    • Programming
    • Software
    • Cloud
    • Crypto & Blockchain
    • Opinion
  • Monthly CTF
    • Challenges
    • Storyline
    • Characters
    • Finishers 2022
    • Write-Ups
  • Practice
    • Fact Checking
    • Geolocation
    • Image Analysis
  • Videos
  • Art
  • About
    • Frank
    • Noureldin
    • Maria
    • Roxanna
    • Dipti
    • Joy
    • Oriana
    • Simone
    • Rudraksh
    • Amogh
    • Tony
Follow US
© 2022 HACKTORIA
HACKTORIA > Articles > CyberSecurity > Microsoft MSDT Zero-Day (Follina/CVE-2022-30190)
CyberSecurity

Microsoft MSDT Zero-Day (Follina/CVE-2022-30190)

Noureldin Ehab
Noureldin Ehab May 31, 2022
Updated 2022/06/14 at 5:15 PM
Share
SHARE
Contents
IntroductionNon-Technical ExplanationTechnical ExplanationPoC (For Educational Purposes)Mitigation (Non-Official)ReferencesExtra Resources
logo made by Kevin Beaumont

Introduction

So it all started on 27/5/2022 when a cyber security researcher known as @nao_sec found a malicious Microsoft word file that runs arbitrary PowerShell code

The official tweet👇

Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code.https://t.co/hTdAfHOUx3 pic.twitter.com/rVSb02ZTwt

— nao_sec (@nao_sec) May 27, 2022

It was called Follina by Kevin Beaumont because the spotted sample on the file references 0438, which is the area code of Follina in Italy, later Microsoft assigned CVE-2022-30190 to it

It turns out that Microsoft knew about this vulnerability since April when @CrazymanArmy the leader of the Shadow Chaser Group reported it to Microsoft and this was how Microsoft replied 👇

(Shadow Chaser Group is a sub-group of the GcowSec team which consists of college students who are focused on APT hunt and analysis)

It says pic.twitter.com/Z2AN7nq6hr

— crazyman_army (@CrazymanArmy) May 30, 2022

Non-Technical Explanation

It’s a zero-day remote code execution or an RCE vulnerability in Microsoft Word, you get hacked the moment you view the file.
As of the time of writing this blog, there is no official mitigation

Technical Explanation

The vulnerability is exploited by using the MSProtocol URI system to load a specific code. Attackers can embed malicious links into Microsoft Office documents, templates or emails starting with ms-msdt: they will be uploaded and executed afterward without any user interaction.

Unless the protected view mode is on. However, converting the document to RTF format may also bypass the Protected View feature.

For an in detail analysis i really recommend this blog by John Hammond

PoC (For Educational Purposes)

https://github.com/JohnHammond/msdt-follina

Mitigation (Non-Official)

As of the time of writing this blog, there is no official mitigation

But there are a few temporary things you can do till Microsoft publishes an official patch

  • Unregister ms-msdt
  • Disable preview in Windows Explorer
  • Use Microsoft Defender’s Attack Surface Reduction (ASR) rules
  • Utilizing Microsoft Defender’s Attack Surface Reduction (ASR) rules (According to huntress)

References

  • “Follina — a Microsoft Office code execution vulnerability” written by Kevin Beaumont
  • “Mysterious “Follina” zero-day hole in Office – here’s what to do!” written by Sophos
  • “Microsoft Office zero-day “Follina”—it’s not a bug, it’s a feature! (It’s a bug)” by Malwarebytes

Extra Resources

by Caleb McMurtrey

TAGGED: CVE-2022-30190, exploit, hacking, microsoft, RCE, vulnerability, zero day

Sign Up For our Weekly Digest

Receive a weekly digest of everything new on Hacktoria

By signing up, you agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.
Noureldin Ehab May 31, 2022
Noureldin Ehab
Posted by Noureldin Ehab
I am nour, I am a second-year software engineering student, I am an AWS Community Builder, IBMz, and Microsoft student ambassador, if you have any questions you can send me a message on LinkedIn : ) https://www.linkedin.com/in/noureldin-ehab-a57940190/
Leave a comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

More from this Category

CyberSecurity

5 Days of HoneyPot Data: What did we catch?

15 Min Read
CyberSecurity

How to gain ROOT Access on Linux?

4 Min Read
CyberSecurity

Getting Started with HoneyPots

16 Min Read
CyberSecurity

Cool infosec podcasts to listen to

6 Min Read

About Us

Hacktoria is a passion project run by volunteers.  We aim to create something we enjoy making that provides value to our readers, viewers and players. Our backgrounds vary from Information Technology, Cybersecurity to Data and Law.

Capture the Flag

We provide a Monthly Story Based Capture the Flag exercise. Players solve tasks using OSINT, Hacking, Social Engineering and Cryptographic skills to complete story driven missions. The winner of each competition is written into the fictional story. Participants receive a certificate of completion.

We also offer Practice Labs in various categories. These are intended to improve your investigative skills and provide a good dose of challenge and entertainment.

Articles & Videos

Besides CTF Exercises, our Editorial Team writes Articles about Cybersecurity, OSINT and Technology. We also host a YouTube channel that provides informative content and CTF material. This channel is hosted by Tony, aka “CyberVikingUK“.

HACKTORIAHACKTORIA
Follow US

© 2022 HACKTORIA - Capture the Flag Exercises & Cybersecurity, OSINT and Technology Articles

  • Sitemap
  • Privacy & Disclaimer
Join Us!

Subscribe to our weekly digest!

Zero spam, Unsubscribe at any time.
Welcome Back!

Sign in to your account

Lost your password?