Have you ever had to download a Microsoft Word document from a co-worker, friend, family member? I know I have. Now imagine you think you receive a Word document from your boss titled “New Promotions/Raises”. Without thinking, you go to download and access the file, and then a weird window pops up about Microsoft Windows Diagnostic Tool. The document is blank, which is weird, but you think it was probably just an error on Microsoft’s side so you think nothing of it. While you are away from your computer, a hacker is going about your file system, downloading persistence, and other malicious acts. This is something that could easily happen with Microsoft’s new zero-day exploit, which has received the name “Follina”.
What is it?
Follina is the newest zero-day vulnerability that was found which affects Microsoft Word and other applications. What is a zero-day vulnerability you ask? It is a vulnerability that has just been discovered and does not have a patch currently available. The issue with these vulnerabilities is that no one has a chance to prepare for it, and it is public information that anyone can use. What makes this vulnerability even scarier is how easy it is for a user to run this. There are security researchers who have created proof-of-concepts that take one command to run and then social engineering to get the target to open the file.
What does it do?
This vulnerability is known as a Remote Code Execution (RCE) vulnerability. Remote Code Execution vulnerabilities allow for attackers to run code on a target’s machine remotely. This can be a wide range of commands, but the main one that can be run is shell code, which allows the attacker to remotely access the target’s file system. From here, an attacker could try to access other people’s machines if in an organization.
How does it work?
This exploit works by taking advantage of both Microsoft Word’s Online Remote Template feature along with Microsoft Word’s built in Microsoft Windows Diagnostic Tools (MSDT). Microsoft Windows Diagnostic Tools is an online tool that helps users with issues if they occur. The online remote template feature uses HTML to call the latest version of a template. You can run MSDT commands from within HTML, so by injecting custom code into the HTML code, custom code can be run on a target machine on document startup. There is also a bypass that the target doesn’t even need to open the file, they just need to preview the file. This can be done by saving the document as a Rich Text Format (RTF) file and if the target has the preview content feature on.
Exploit in action:
For this demo, I will be using a file created by John Hammond, which can be found on his GitHub here: https://github.com/JohnHammond/msdt-follina.
First, I downloaded the follina files from GitHub.
You then run “python3 follina.py” to start the attack.
This command then creates a file called “follina.doc”, which is the actual payload.
For this attack, the payload was delivered over a Python simple HTTP server, but in a real world attack the payload would probably be delivered by email in a phishing attempt.
Once the file was transferred over to the target machine, the document was opened.
As you can see, the document is blank, and since it was downloaded from the internet, Protected View was enabled. In order for this attack to work, the victim has to enable editing but let’s be honest, we all enable editing on a document without thinking about it.
Once the file is opened and editing is enabled, the troubleshooting page appears and by default, the program opens up the Calculator application on Windows.
We can however, go back into our attack machine, and specify the script to do other things rather than just opening the Calculator application. The following shows all the features that the program comes with:
The first option we will look at is the -c tag. This allows us to run any command on the machine that we want. For this example, I ran ‘-c “notepad.exe”‘. This command would cause the Notepad application on Windows to open.
Since we already created and delivered the document, we don’t need to deliver it again. All we would need to do is wait for the target to reopen the document, good thing in this example the target is me.
Once the file is opened again, the same thing happens from the default program however this time, the Notepad application opens up since we ran the command “notepad.exe” on the target machine.
Now for the fun part, getting a remote shell on the target machine. To do this, we are going to use the -r or –reverse option when running the program.
When running this command, you also have to provide it with a port to listen on in order to get the reverse shell. After running the command and specifying it to listen on port 9999, we went back to the target machine and opened the file back up.
After opening the file, the troubleshooting popup continues to load while back on the attack machine, we have a successful reverse shell. From here, an attacker could do multiple things, like downloading persistence so the shell doesn’t crash once the document is closed.
That is a quick proof-of-concept for the recent zero-day that was found against Microsoft. Thanks again to John Hammond for an awesome tool to play around with.
What can be done to stop this?
The main way that this can be avoided is by ensuring end users don’t click on random files that are sent to them. If someone gets an email that says “Promotions” but those aren’t happening within the company yet, odds are it’s a fake file. You should never click on emails that you don’t trust, especially when they have attachments on them. The greatest defense to cyber security attacks is ensuring people know how to handle phishing attempts.
The official CVE uploaded by Microsoft can be found here: CVE 2022 30190
Microsoft’s official site has the remediation level set to temporary fix, with a permanent fix coming in the near future.
Sources:
- https://vulcan.io/blog/follina-msdt-what-you-need-to-know/
- https://blogs.blackberry.com/en/2022/06/follina-zero-day-weaponizes-microsoft-help-tool
- https://youtu.be/dGCOhORNKRk – John Hammond, YouTube
- https://youtu.be/3ytqP1QvhUc – Network Chuck, YouTube
- https://github.com/JohnHammond/msdt-follina – John Hammond, proof-of-concept file