fbpx

Introduction

It was reported on May 30th by Microsoft that the Microsoft Support Diagnostic Tool (MSDT) was being actively exploited to obtain RCE on systems. The vulnerability, which can be executed through malicious Office documents, can be used to access remote systems where victims have accessed the document or malicious link (CVE-2022-30190).

Since the initial disclosure by “Crazyman” from Shadow Chaser Group, multiple researchers and organizations have released analyses of the original malware, as well as proofs of concept.

See Kevin Beaumont’s article here – Follina — a Microsoft Office code execution vulnerability | by Kevin Beaumont | May, 2022 | DoublePulsar

See Cas van Cooten’s PoC here – chvancooten/follina.py: POC to replicate the full ‘Follina’ Office RCE vulnerability for testing purposes (github.com)

Exploitation

TCM Security has used the available research and proofs of concept to assess the vulnerability in our local testing environments to identify various avenues of attack, including hash collection and command execution persistent shell access.

Hash collection is possible with Cas’s Python script, which generates a Word document that calls back to the local server to execute the malicious payload through basic incorrect file share access to the attacker’s machine. If an attacker were to replace a valid file in an active file share with the payload, any user that opened the document would be vulnerable to the hash being dumped. Hashes can be cracked offline with a tool like Hashcat and wordlists like Rockyou2021.

Remote command execution is also possible, thanks to the proof of concept. Utilizing a modified PowerShell reverse shell script, TCMS can get reverse shell access. As of right now, the payload and process TCMS is using are not being identified by Windows Defender.

 

 

It is also possible to execute the malicious payload through a simple wget request in the terminal, which, again, bypassed Defender Antivirus.

 

Remediation Recommendations

Microsoft has recommended that customers ensure that cloud-delivered protection is enabled in Microsoft Defender. For example, organizations with Defender for Endpoint can enable the “BlockOfficeCreateProcessRule” surface reduction rule that blocks Office from creating new processes. Additionally, Microsoft has recommended updating to new versions of Microsoft Office and DISABLING external macros. However, TCMS has found that even with external macros disabled, it was possible to execute the payloads.

Microsoft also suggests that the MSDT URL protocol be disabled for the time being. Administrators can do this by entering an administrative command prompt and running reg delete HKEY_CLASSES_ROOT\\ms-msdt /f.

TCMS will be adding checks for this vulnerability in internal penetration tests in the future. If your organization is concerned with this vulnerability and others, please contact us.

References

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability – Microsoft Security Response Center

https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e

https://github.com/chvancooten/follina.py

About TCM Security

TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.

Pentest Services: https://tcm-sec.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com

See How We Can Secure Your Assets

Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.  
tel: (877) 771-8911 | email: info@tcm-sec.com