Exploring The Follina Zero-Day Vulnerability
A bug in the Microsoft Support Diagnostic Tool (MSDT) gave birth to a very severe vulnerability known as Follina (CVE-2022–30190), which is a remote code execution (RCE) vulnerability that was first extensively reported on May 27, 2022, by a security research team by the name of Nao Sec.
Through the use of a malicious Microsoft Office document template, an attacker is able to execute code remotely and gain access to a victim’s system. The vulnerability can be exploited by using Microsoft Office’s template download feature to download extra content from a remote server. If the downloaded file is large enough, it can result in a buffer overflow, which will allow PowerShell code to be executed without the user’s knowledge.
What makes Follina so dangerous?
According to Microsoft, “An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”
Follina is given a CVSS score of 7.8 and is labeled as a “High” severity vulnerability. Attackers can include hyperlinks in emails such as ms-excel:ofv|u|https://blah.com/poc.xls
which would silently trigger the vulnerability without any notice.
Microsoft Office opens all files from a potentially unsafe location as a read-only file, which will prevent the vulnerability from being exploited, but this can be easily bypassed by changing the file type to a Rich-Text File (RTF).
A Rich-Text file can be loaded using the preview tab in Windows Explorer, which results in the exploit being run just by previewing the file.
Since Follina is a zero-day vulnerability, threat-agents such as state-sponsored attackers are abusing this vulnerability for their personal gain.
Researchers at Proofpoint discovered the attacks and think the attackers are connected to a government, which it did not name. Attacks take the form of campaigns that target victims who work for the US and EU governments. Malicious emails tempt readers to download an attachment by including fake recruitment offers that promise a salary increase of 20%.
The text says “You’ll be earning a 20 percent raise in your income,”. In order to understand more, the message instructs recipients to open an attached document “before this weekend.”
Follina and the Microsoft Diagnostic Tool
We first need to understand MSDT before we can understand this attack. Typically, MSDT requests a passkey from a support specialist before moving on to the troubleshooting phase when it is called.
This should offer some protection and restrict usage of the features of the troubleshooting utility. However, it is possible to run PowerShell tasks over MSDT without giving a passkey if certain requirements are met and a certain syntax is used.
The Follina Exploit
An attacker can take advantage of this vulnerability by creating an HTML file that uses “ms-msdt” to invoke the troubleshooting wizard and compels it to run PowerShell code by including particular arguments in its command, as seen in the example below:
location.href = “ms-msdt:/id PCWDiagnostic /skip force /param \”IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$( path_to_payload/.exe\””;
Using this technique, an attacker can carry out anything from running ransomware to launching a reverse shell from which they can issue an infinite number of commands to the victim’s computer. There are essentially endless options in this situation.
However, in order for this to work, the HTML page must be at least 4096 bytes in size, which may be simply accomplished by including large comments.
There are a few methods used to disable the features that contribute to this vulnerability
1. Unregister the ms-msdt protocol
The ms-msdt protocol is responsible for executing the payload provided by a threat agent. Disabling this protocol will prevent any malicious payloads from being executed.
A vulnerability analyst at the CERT/CC has published a registry fix that will unregister the ms-msdt protocol.
1. Copy and paste the text into a notepad document:
2. Click on File, then Save As…
Save it to your Desktop, then name the file disable_ms-msdt.reg in the file name box.
Click Save, and close the notepad document.
3. Double-click the file disable_ms-msdt.reg on your desktop.
Note, if you are prompted by User Account Control, select Yes or Allow so the fix can continue.
4. A message will appear about adding information into the registry, click Yes when prompted
A prompt should appear that the information was added successfully
2. Disable preview in Windows Explorer
If you have the preview pane enabled, you can:
· Open File Explorer.
· Click on View Tab.
· Click on Preview Pane to hide it.
Written by Muhammad Hassan — 2nd Year 2nd Semester — Cyber Security Student - SLIIT