Follina – ZeroDay hole in MS Office

Follina – ZeroDay hole in MS Office

Microsoft has confirmed a Remote Code Execution (RCE) vulnerability in Microsoft Support Diagnostic Tool (MSDT) which is expected to be exploited since April, at least.  It was on May 27th, 2022, reports came about malicious word documents that leverages remote templates in order to execute PowerShell via the ms-msdt Office URL scheme. This vulnerability is assigned with CVE-2022-30190.

An attacker who successfully exploits this flaw can execute arbitrary code by calling application’s privileges. In the context allowed by the user’s permissions, the attacker can then install applications, read, alter, or remove data, and create new accounts.

It all started with a security researcher finding a document on VirusTotal that was used to execute PowerShell code. The security researchers have been analysing the malicious file and discovered that it was actually exploiting a zero-day vulnerability in MSDT. With this file, the researchers found that it will take only opening the file to trigger the exploit.

Analysis:

Follina is an RCE vulnerability found in MSDT that impacts several versions of Microsoft Office, including the patched versions of Office 2019 and 2021. Though an attacker leveraging flaw is likely to be Remote, Microsoft list the attack vector as “local” because of the way it is exploited.

An attacker would create a malicious document, usually in Microsoft Word, and email it to their victim. An attacker can leverage this vulnerability to run commands with the permissions of the application that opened the infected document. Microsoft says that the attacker will be able to install programs, view, change, or delete data, or create new accounts.” The PowerShell was found to be used in the attacks observed in April. A broad range of attacks are expected with this vulnerability in the near future.  

Proof of Concept:

A detailed technical breakdown of this vulnerability is provided by Huntress Labs and you can also find other PoC in GitHub.

Remediations:

An effective patch is not yet released at the time of writing, you can find mitigation steps to limit attack surface. Microsoft has released mitigation guidance for this vulnerability and this vulnerability was revealed by a member of the Shadow Chaser Group, according to Microsoft’s alert.

The mitigation guidance says that in Microsoft Defender, activate “Block all office apps from creating child processes” in Block Mode in order to prevent this vulnerability from being exploited. It is still not unclear what the impact would be for this mitigating effort.