On May 27th, 2022, Nao_sec discovered a strange Word document uploaded from a Belarusian IP address. Apparently, this was a zero-day vulnerability in Microsoft Office or Windows known as Follina.
A malicious Word document can exploit the Follina vulnerability and execute arbitrary code. A vulnerability exploits the built-in URL handlers in MS-Windows to invoke msdt.exe, which can be used to execute PowerShell commands.
Nao_sec discovered the vulnerability when it found an interesting Word document that appeared to run PowerShell using the ms-msdt scheme. Kevin Beaumont later confirmed that the vulnerability is a new Windows zero-day. A malicious file sample he examined that targeted the vulnerability references 0438, which is the area code for the Italian village of Follina. Therefore, the vulnerability is also called Follina.
Targeted phishing campaigns are actively exploiting the vulnerability, so organizations should prioritize mitigation strategies until a patch is available and can be successfully deployed.
Microsoft Support Diagnostic Tool (MSDT) is a diagnostic and troubleshooting tool that comes with Windows. According to Microsoft’s documentation, it “Invokes a troubleshooting pack at the command line or as part of an automated script, enabling additional options without user input.”
What are URL Handlers?
When an application is installed on Windows, it has the option to register a URL to launch its application with a custom link.
Many default URL handlers are built into Windows, including one for msdt.exe – ms-msdt:/.
How is CVE 2022-30190 being exploited?
Follina is primarily exploited via phishing emails that contain malicious Office documents. For example, an attacker can craft a Word document that links to an external server. This server hosts a file that contains the ms-msdt:/ URL.
The malicious payload launches msdt.exe with the parameters specified when an end user opens the Word document. Msdt.exe launches sdianhost.exe. Sdiagnhost.exe loads PowerShell dll’s to run PowerShell commands without directly launching powershell.exe.
An overview of how to exploit CVE-2022-30190 can be found here. An attacker creates a malicious OLE object link in an MS Office document (word/_rels/document.xml.rels), such as an HTML file on the Internet. The attributes of the link are placed in the tag.
The target link points to the above-mentioned HTML file, which contains a malicious script using a special URI scheme.
MSDT runs when the attacker-created document is opened. Through a set of parameters, an attacker can pass commands to this tool for execution on the victim’s system as the user who opened the document. Furthermore, the command can be passed even if the document is opened in Protected Mode and macros are disabled.
Which versions are affected?
According to Microsoft, Windows Server 2019 and Windows 10 version 1809 and later are affected, and all Office versions can be exploited. Disabling macro execution will not help. You can even trigger the attack using PowerShell wget, so you don’t have to rely on Office.
Various attack options
Here are the steps we observed:
Step 1: The attacker sends the targeted user an email containing a malicious Microsoft Office document (.docx, etc.).
Step 2: By executing this file, the attacker resolves and executes the attacker-controlled external resource from the document.xml.ref file.
Step 3: The user is now served code exploiting the Follina vulnerability.
Step 4: Further commands are then executed, such as downloading Remote Access Trojans, etc.
In this file, the relationships between the embedded objects are defined. It refers to an OLE object in this case. Microsoft’s proprietary Object Linking and Embedding technology allows external documents, such as Excel spreadsheets, to be embedded within a Word document.
To be able to execute code, “ms-msdt:/” is followed by arguments, which include Powershell commands, in the external HTML file. The payload for this PoC is base64 encoded. For this exploit to trigger, at least 4096 bytes of padding is required.
Just like IDOR,SSRF and XSS this vulnerability also leaves traces. Microsoft’s diagnostic logs definitely assist in determining whether a system has been compromised by exploiting the Follina vulnerability (CVE-2022-30190). According to the MSDT website, the following default locations for looking up diagnostic information post-execution are controlled by the “/dt” command line parameter:
%LOCALAPPDATA%\Diagnostics %LOCALAPPDATA%\ElevatedDiagnostics The diagnostic data was stored under: %LOCALAPPDATA%\Diagnostics\<9-digit-number>\<date YYYYMMDD.000>
Several files stored in these directories can assist Digital Forensics and Incident Response professionals in identifying fraud attempts.
Disabling the MSDT URL protocol can reduce exploit attempts for CVE-2022-30190. Threat actors use this protocol to launch troubleshooters and execute code on vulnerable systems. It is also recommended that you disable the Preview pane in Windows Explorer to prevent the exploit from executing when previewing malicious documents.
To disable the MSDT URL Protocol.
When MSDT URL protocol is disabled, troubleshooters may not be launched as links across the operating system. The Get Help application and in the system settings can still be used to access the troubleshooters. To disable them, do the following :
Run Command Prompt as Administrator
To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
How to undo the workaround
Run Command Prompt as Administrator.
To restore the registry key, execute the command “reg import filename”
Follina vulnerability affects large user base and hence it’s severity is very high. To protect organizations and personal devices from this attack. Updating and upgrading with latest versions of softwares and keeping eye on newest patches can help to prevent this vulnerability. Combinational approach, disabling affected protocol can also reduce the severity of attack.