Follina - A New Microsoft Office 0-day RCE
Yesterday, May 30, 2022, Microsoft released an advisory regarding a new vulnerability affecting Microsoft Office products. The new vulnerability has been assigned CVE-2022-30190 and the security community has been referring to it as ‘Follina’. Follina uses the Microsoft Support Diagnostic Tools (MSDT) to download and run malicious code. MSDT is a tool built-in to Windows that collects information to send to Microsoft Support to be analyzed and used to resolve support issues.
This vulnerability can be exploited using the Office remote template feature rather than relying on macros which most Office exploits rely on. A remote HTML file is downloaded from the template which in turn uses the MDST MSProtocol URI scheme to load and execute malicious PowerShell. The malicious code will be executed with the same level of privileges as the user who opens the document. This new method of executing malicious code was initially missed by Defender for Endpoint as pointed out by research Keven Beaumont. MSDT is supported by all Microsoft products so it is possible to use this exploit in other ways, such as directly from Outlook in a malformed email.
Follina first came to light publicly last Friday, May 27, when security researcher nao_sec tweeted that they had found a malicious Word document submitted to Virus Total from an IP in Belarus:
Microsoft later acknowledged that the vulnerability was originally reported by crazyman of the Shadow Chaser Group in April of this year but originally it was dismissed as “not a security issue” because MSDT requires a passkey for execution. However, since then it’s been revealed that a payload over 4096 bytes bypasses the need for a passkey and the payloads observed in VirusTotal are padded to meet that requirement.
Though there have been samples discovered in VirusTotal of documents exploiting Follina, so far no one has reported any active exploitation. However, several proof-of-concept tools have been released over the weekend making it trivial to reproduce this vulnerability and we will likely see several threat actors add this new trick to their arsenal.
Though no patch is yet available, Microsoft did release some mitigation guidance in their advisory which is simply to disable MSDT. According to Microsoft to disable MSDT:
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
- Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
This can be undone with the following:
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg import filename”
The CRU has developed detection signatures based on samples we have collected that were published on May 13. For IDS users we added the following Suricata signature:
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"[ConnectWise CRU] Suspicious MSDT (Microsoft Diagnostics Tool) Schema in HTTP Response"; flow:established, to_client; http.response_body; content:"ms-msdt|3a|"; content:"IT_BrowseForFile|3d|"; distance:0; content:"|24 28|"; distance:0; tag:session,5,packets; reference:url, www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug; classtype:trojan-activity; sid:900635; rev:1; metadata: created_at 2022_05_31, updated_at 2022_05_31;)
The event notification, [CRU][Windows] MS Diagnostic Tool Launched from Microsoft Office Application - Potential RCE, was added to the ConnectWise CRU collection in the Perch marketplace.
---Update June 1, 2022---
There is evidence that the Chinese state-sponsored APT TA413 has begun actively using this vulnerability as of May 30, 2022.
The CRU has been actively hunting for this exploit. So far, the only activity we have observed is our partners testing their systems for this exploit.