Follina (CVE-2022-30190) Explained (+PoC Exploit)

2022-06-25 Dawid Farbaniec

The most important: Security updates are here:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190

On May 27, 2022, on Twitter nao_sec, there was information about a malicious Microsoft Word document that uses the Microsoft Support Diagnostic Tool (ms-msdt protocol) to run Windows PowerShell code.

This malicious document contained zero-day vulnerability CVE-2022-30190. The schemes below contain general idea of Follina exploit mechanism.

During my delayed experiments I have created educational Follina PoC Tool.

Features

.RTF payload generator
Simple HTTP server for delivering .HTML payload
Mitigation tips
Configuration extractor
Easy to use for learning

The tool was coded in C#.NET and is freely available on ethical.blue Magazine account on GitHub here:
https://github.com/ethicalblue/Follina-CVE-2022-30190-PoC-sample

PoC Exploit Executed Successfully

Presentation

Bibliography

https://twitter.com/nao_sec/status/1530196847679401984 [access: 2022-06-25]
https://gist.github.com/tothi/66290a42896a97920055e50128c9f040 [access: 2022-06-25]
https://github.com/chvancooten/follina.py [access: 2022-06-25]
https://github.com/JohnHammond/msdt-follina [access: 2022-06-25]
https://github.com/MalwareTech/FollinaExtractor [access: 2022-06-25]
https://sekurak.pl/krytyczna-podatnosc-0day-w-microsoft-office-po-otwarciu-dokumentu-mozna-przejac-komputer-cve-2022-30190-follina/ [access: 2022-06-25]
https://avlab.pl/follina-exploit-0-day-w-microsoft-office-z-bialorusi/ [access: 2022-06-25]
https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection [access: 2022-06-25]