Microsoft MSDT Zero-Day (Follina/CVE-2022-30190)

logo made by Kevin Beaumont

Introduction

So it all started on 27/5/2022 when a cyber security researcher known as @nao_sec found a malicious Microsoft word file that runs arbitrary PowerShell code

The official tweet👇

It was called Follina by Kevin Beaumont because the spotted sample on the file references 0438, which is the area code of Follina in Italy, later Microsoft assigned CVE-2022-30190 to it

It turns out that Microsoft knew about this vulnerability since April when @CrazymanArmy the leader of the Shadow Chaser Group reported it to Microsoft and this was how Microsoft replied 👇

(Shadow Chaser Group is a sub-group of the GcowSec team which consists of college students who are focused on APT hunt and analysis)

Non-Technical Explanation

It’s a zero-day remote code execution or an RCE vulnerability in Microsoft Word, you get hacked the moment you view the file.
As of the time of writing this blog, there is no official mitigation

Technical Explanation

The vulnerability is exploited by using the MSProtocol URI system to load a specific code. Attackers can embed malicious links into Microsoft Office documents, templates or emails starting with ms-msdt: they will be uploaded and executed afterward without any user interaction.

Unless the protected view mode is on. However, converting the document to RTF format may also bypass the Protected View feature.

For an in detail analysis i really recommend this blog by John Hammond

PoC (For Educational Purposes)

https://github.com/JohnHammond/msdt-follina

Mitigation (Non-Official)

As of the time of writing this blog, there is no official mitigation

But there are a few temporary things you can do till Microsoft publishes an official patch

References

Extra Resources

by Caleb McMurtrey

Leave a Comment