Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
SUBSCRIBE
Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
Zerosecurity
No Result
View All Result
Home Exploits

Microsoft Office Zero-day “Follina” Allows Attackers to Execute PowerShell Scripts

Kyle by Kyle
May 31, 2022 - Updated on June 2, 2022
in Exploits
0
Microsoft Office zero-day exploit CVE-2022-30190
81
SHARES
1.3k
VIEWS
Share on FacebookShare on Twitter

Researchers have discovered a new Microsoft Office zero-day vulnerability that is being used to carry out attacks in the wild. The zero-day has been dubbed Follina.

You might also like

Follina Exploit Being Deployed by Chinese APT Group TA413

Flash Zero-day exploited in the wild – CVE-2016-4171

Firefox 47 update fixes 13 vulnerabilities

The attacks have been found to execute PowerShell commands via the Microsoft Diagnostic Tool (MSDT) packed into a simple Word Document.

The vulnerability was assigned a CVE or tracking number today, CVE-2022-30190. Due to the vulnerability being so new, the infosec community has also been to referring to it as “Follina” before the CVE number had been assigned.

This zero-day allows attackers to access a new critical attack vector by leveraging Microsoft Office programs, which a majority of Windows PCs have installed. It also has the ability to work without admin privileges, bypass Windows Defender detection, and does not require any macro code to be enabled to execute a script or executable file.

Microsoft Word Zero-day Discovered

On May 27th, Nao_sec came across a peculiar Word document, uploaded to VirusTotal from an IP address located in Belarus.

The researcher discovered the document uses a Word remote template feature to retrieve an HTML file from a remote server. This is where the MSDT comes into play utilizing the ms-msdt MSProtocol URI scheme which loads code and executes the PowerShell commands. Nao_sec tweeted this discovery along with the screenshot below of the obfuscated code:

CVE-2022-30190 aka Follina obfuscated code

Security Researcher, Kevin Beaumont was able to deobfuscate the code which he discovered to be a command-line string that Microsoft Word executes using their MSDT tool, even if macro scripts are disabled in Word.

Deobfuscated CVE-2022-30190 payload
Deobfuscated payload, source: Kevin Beaumont

The PowerShell script above extracts a Base64 encoded file from a RAR archive file to the Windows public TEMP directory and executes it. The extracted file is no longer available, so it’s not clear what the purpose of this attack was.

Beaumont states that this code will run despite macros being disabled in Word. Protected view will kick in, but if you change the document to RTF form, it has the ability to run via the preview tab in Windows explorer without even opening the document which is concerning.

Zero-day (or Zero-click) reproduced in Microsoft Office 2021

Many security researchers have analyzed the file and new attack vector successfully reproducing the exploit with multiple versions of Office including 2013, 2016, Office Pro Plus, 2019, and a patched version of Microsoft Office 2021.

CVE-2022-30190 being confirmed in Microsoft Office 2019 Zero-day

Below is a YouTube video containing researcher Didier Stevens reproducing the zero-day.

In another analysis, researchers over at the security company Huntress analyzed the exploit providing more technical details on the inner workings.

They discovered that the remote HTML document that was accessed by the exploit originated from a domain “xmlformats[.]com,” which is no longer accessible.

The researchers also verified Beaumont’s findings that an RTF document has the ability to deliver the payload without opening the file from the user’s end (just by selecting the file). This is commonly known as a Zero-click exploit.

Follina Zero-Click Exploit
Follina Zero-Click Exploit executed with RTF document, source: Huntress

Depending on the payload distributed by the exploit, attackers can utilize this exploit to reach remote locations on the victim’s network.

This use can allow the attacker to collect password hashes from the infected’s Windows machine that can be used for further malicious activity.

Windows password hashes pulled using the Follina Zero-click exploit
Password hashes pulled using the exploit

Detection is Challenging

Due to the malicious code being loaded from the remote template, the Word document acting as a Trojan horse has no actual malicious code within it. This is an issue because it will make the jobs of antivirus companies harder to detect the threat allowing the malicious word document to fly under the radar longer.

Huntress states that the only way to detect this attack vector is to monitor processes on the system because the Follina payload creates a child process named “msdt.exe” under the Microsoft Office parent process.

“Additionally, the sdiagnhost.exe process will be spawned with a conhost.exe child and its subsequent payload processes” – Huntress

For businesses relying on Microsoft Defender’s Attack Surface Reduction (ASR) rules, Huntress advises enabling the “Block all Office applications from creating child processes”, which prevents the Follina exploit.

Another mitigation technique recommended by Stevens would be to remove the file type association for ms-msdt so that Office wouldn’t be able to call Microsoft’s Diagnostic Tool when opening the malicious document.

Originally Reported to Microsoft in April

Researches state that the Follina was originally discovered and reported to Microsoft in April.

According to members of the infosec group Shadow Chasers – a team of college students who love hunting and analyzing advanced persistent threats (APT). They had reported the vulnerability to Microsoft, but was dismissed as “not a security related issue.”

Microsoft’s reply to the vulnerability submission

Then, on April 12 of this year, Microsoft marked the vulnerability as fixed (tracked as VULN-065524) and classified it as “This issue has been fixed.”

 

Update 06/1/2022 – A Python script has been released by JohnHammond on Github allowing the public to test this new attack vector. You can now generate a malicious Microsoft Word document with the Follina exploit simply by running a Python script.

Video of the script in action:

Source: Kevin Beaumont
Tags: powershellzero dayZero-click
Share33Tweet20
Kyle

Kyle

Co-owner, writer, and editor at ZeroSecurity. Security, Blockchain, and SEO enthusiast. "Formal education will make you a living; self-education will make you a fortune."

Recommended For You

Follina Exploit Being Deployed by Chinese APT Group TA413

by Kyle
June 3, 2022
0
Chinese APT TA413

A Chinese state-sponsored hacking group, given the call sign "TA413", has been identified using the new Microsoft Office zero-day exploit, Follina, to launch attacks. Microsoft has tagged this...

Read more

Flash Zero-day exploited in the wild – CVE-2016-4171

by Kyle
June 15, 2016
0
CVE-2016-4171 flash zero-day

Another Adobe Flash Player zero-day has been found being exploited in “limited, targeted attacks”. Adobe has stated it will be patched later this week. The vulnerability, CVE-2016-4171 (CVE)...

Read more

Firefox 47 update fixes 13 vulnerabilities

by Kyle
June 14, 2016
0
Firefox 47 update fixes 13 vulnerabilities

In the most recent Firefox update pushed by Mozilla, two critical vulnerabilities were patched. The patch included a fix for a buffer overflow and a set of memory...

Read more

Over 10 million systems found exploitable

by Kyle
June 9, 2016
0
Rapid7 Project sonar

Around 10 million systems globally have their databases at risk and countless nodes leave telnet, printer, and other ports open, based on new info from Rapid7’s Project Sonar....

Read more

Exploit found in Uber earns researcher $10k

by Kyle
June 8, 2016
0
Uber exploit found, $10k rewarded

Rideshare company and mobile app, Uber, fixed a vulnerability within its website that could have allowed a hacker to log into a few “.uber.com” subdomains with a non existant-password...

Read more
Next Post
Chinese APT TA413

Follina Exploit Being Deployed by Chinese APT Group TA413

Related News

Google Chrome Extension fingerprinting source

Google Chrome exposes user extensions to fingerprinting

July 1, 2022
Downthem DDoS Service owner sentenced

Downthem DDoS service owner gets a 2-year prison sentence

June 30, 2022
Cloudflare record breaking DDoS

Cloudflare Stops Record-Breaking DDoS

June 29, 2022
Zerosecurity

We cover the latest in Information Security & Blockchain news, as well as threat trends targeting both sectors.

Categories

  • Crypto
  • Data Breaches
  • DotNet Framework
  • Downloads
  • Exploits
  • Exploits
  • Information
  • Legal
  • Malware
  • Malware Analysis
  • Mobile Security
  • Paper Downloads
  • Piracy
  • Privacy
  • Programming
  • Public
  • Security
  • Security
  • Software & Service Reviews
  • Technology News
  • Tools
  • Tutorials
  • Video Tutorials
  • Whitepapers
  • Zero Security
  • Contact Us
  • List of our Writers

© 2022 ZeroSecurity, All Rights Reserved.

No Result
View All Result
  • Home
  • Security
    • Tools
  • Data Breaches
  • Malware
  • Privacy
  • Contact Us

© 2022 ZeroSecurity, All Rights Reserved.