ethical.blue Magazine

// Cybersecurity clarified.

Follina (CVE-2022-30190) Explained (+PoC Exploit)

2022-06-25   Dawid Farbaniec
...
The most important: Security updates are here:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190

On May 27, 2022, on Twitter nao_sec, there was information about a malicious Microsoft Word document that uses the Microsoft Support Diagnostic Tool (ms-msdt protocol) to run Windows PowerShell code.

This malicious document contained zero-day vulnerability CVE-2022-30190. The schemes below contain general idea of Follina exploit mechanism.





During my delayed experiments I have created educational Follina PoC Tool.

Features

  • .RTF payload generator
  • Simple HTTP server for delivering .HTML payload
  • Mitigation tips
  • Configuration extractor
  • Easy to use for learning









The tool was coded in C#.NET and is freely available on ethical.blue Magazine account on GitHub here:
https://github.com/ethicalblue/Follina-CVE-2022-30190-PoC-sample

PoC Exploit Executed Successfully



Presentation

Bibliography

https://twitter.com/nao_sec/status/1530196847679401984 [access: 2022-06-25]
https://gist.github.com/tothi/66290a42896a97920055e50128c9f040 [access: 2022-06-25]
https://github.com/chvancooten/follina.py [access: 2022-06-25]
https://github.com/JohnHammond/msdt-follina [access: 2022-06-25]
https://github.com/MalwareTech/FollinaExtractor [access: 2022-06-25]
https://sekurak.pl/krytyczna-podatnosc-0day-w-microsoft-office-po-otwarciu-dokumentu-mozna-przejac-komputer-cve-2022-30190-follina/ [access: 2022-06-25]
https://avlab.pl/follina-exploit-0-day-w-microsoft-office-z-bialorusi/ [access: 2022-06-25]
https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection [access: 2022-06-25]