Introduction
It was reported on May 30th by Microsoft that the Microsoft Support Diagnostic Tool (MSDT) was being actively exploited to obtain RCE on systems. The vulnerability, which can be executed through malicious Office documents, can be used to access remote systems where victims have accessed the document or malicious link (CVE-2022-30190).
Since the initial disclosure by “Crazyman” from Shadow Chaser Group, multiple researchers and organizations have released analyses of the original malware, as well as proofs of concept.
See Kevin Beaumont’s article here – Follina — a Microsoft Office code execution vulnerability | by Kevin Beaumont | May, 2022 | DoublePulsar
See Cas van Cooten’s PoC here – chvancooten/follina.py: POC to replicate the full ‘Follina’ Office RCE vulnerability for testing purposes (github.com)
Exploitation
TCM Security has used the available research and proofs of concept to assess the vulnerability in our local testing environments to identify various avenues of attack, including hash collection and command execution persistent shell access.
Hash collection is possible with Cas’s Python script, which generates a Word document that calls back to the local server to execute the malicious payload through basic incorrect file share access to the attacker’s machine. If an attacker were to replace a valid file in an active file share with the payload, any user that opened the document would be vulnerable to the hash being dumped. Hashes can be cracked offline with a tool like Hashcat and wordlists like Rockyou2021.
Remote command execution is also possible, thanks to the proof of concept. Utilizing a modified PowerShell reverse shell script, TCMS can get reverse shell access. As of right now, the payload and process TCMS is using are not being identified by Windows Defender.
It is also possible to execute the malicious payload through a simple wget request in the terminal, which, again, bypassed Defender Antivirus.
Remediation Recommendations
Microsoft has recommended that customers ensure that cloud-delivered protection is enabled in Microsoft Defender. For example, organizations with Defender for Endpoint can enable the “BlockOfficeCreateProcessRule” surface reduction rule that blocks Office from creating new processes. Additionally, Microsoft has recommended updating to new versions of Microsoft Office and DISABLING external macros. However, TCMS has found that even with external macros disabled, it was possible to execute the payloads.
Microsoft also suggests that the MSDT URL protocol be disabled for the time being. Administrators can do this by entering an administrative command prompt and running reg delete HKEY_CLASSES_ROOT\\ms-msdt /f.
TCMS will be adding checks for this vulnerability in internal penetration tests in the future. If your organization is concerned with this vulnerability and others, please contact us.
References
https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e