Follina (CVE-2022-30190) Explained (+PoC Exploit)
2022-06-25 Dawid Farbaniec

The most important: Security updates are here:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
On May 27, 2022, on Twitter nao_sec, there was information about a malicious Microsoft Word document that uses the Microsoft Support Diagnostic Tool (
This malicious document contained zero-day vulnerability
During my delayed experiments I have created educational Follina PoC Tool.
The tool was coded in C#.NET and is freely available on ethical.blue Magazine account on GitHub here:
https://github.com/ethicalblue/Follina-CVE-2022-30190-PoC-sample
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
On May 27, 2022, on Twitter nao_sec, there was information about a malicious Microsoft Word document that uses the Microsoft Support Diagnostic Tool (
ms-msdt
protocol) to run Windows PowerShell code.
This malicious document contained zero-day vulnerability
CVE-2022-30190
. The schemes below contain general idea of Follina exploit mechanism.


During my delayed experiments I have created educational Follina PoC Tool.
Features
- .RTF payload generator
- Simple HTTP server for delivering .HTML payload
- Mitigation tips
- Configuration extractor
- Easy to use for learning




The tool was coded in C#.NET and is freely available on ethical.blue Magazine account on GitHub here:
https://github.com/ethicalblue/Follina-CVE-2022-30190-PoC-sample
PoC Exploit Executed Successfully

Presentation

Bibliography
https://twitter.com/nao_sec/status/1530196847679401984 [access: 2022-06-25]https://gist.github.com/tothi/66290a42896a97920055e50128c9f040 [access: 2022-06-25]
https://github.com/chvancooten/follina.py [access: 2022-06-25]
https://github.com/JohnHammond/msdt-follina [access: 2022-06-25]
https://github.com/MalwareTech/FollinaExtractor [access: 2022-06-25]
https://sekurak.pl/krytyczna-podatnosc-0day-w-microsoft-office-po-otwarciu-dokumentu-mozna-przejac-komputer-cve-2022-30190-follina/ [access: 2022-06-25]
https://avlab.pl/follina-exploit-0-day-w-microsoft-office-z-bialorusi/ [access: 2022-06-25]
https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection [access: 2022-06-25]