Keysight’s Take on CVE-2022-30190 MSDT Follina Exploit

What’s all the Fuss?

CVE-2022-30190 Microsoft Windows Support Diagnostic Tool (MSDT) RCE vulnerability has taken the internet by storm with it being still a zero day since its discovery on March 27. There is a lot of information publicly disclosed and since it’s so simple to perform the attack and most of the Windows versions (except some old versions) are vulnerable, makes it pretty dangerous.

We already see a lot of malware samples being submitted to malware database (Image from MalwareBazaar atatched below) sites involving Follina exploit armed with various tools like C2 Framework Cobalt Strike and others.

There has also been reports that the APT group TA413 has been actively exploiting this vulnerability to steal and delete users' data.

How it Started?

This all started when a maldoc sample was shared by naosec on Twitter. It used the Word doc to pull an HTML file from a server which looked like the following:\

The document seems to be invoking the msdt tool with some parameters and trying to execute some base64 encoded strings. If we decode it, we can see what it’s trying to do -

So now, the question is what made the original Word doc reach out to the attacker server for this HTML file? To answer that let’s try to recreate one of the many online POC that’s available.

Testing the POC

We got hold of an online POC that researcher and youtuber John Hammond has posted

Analysing the POC

Let’s go back to the original question, ‘what made the original Word doc reach out to the attacker server for this HTML file?’ If we unzip the doc file and see the file ‘document.xml.rels’ which according to the following, contains references to media.

It’s trying to look for an OLE object which is external and therefore tries to download it from the URL in the target tag, which is why it reaches to the attacker server.

So, what did we download from that attacker server? It’s an HTML file like what we saw at the beginning of the blog –

We can see the command to execute ‘calc’ embedded as base64 encoded string ‘Y2FsYw==’ and we also see a bunch of commented random characters. According to some initial PoCs, the exploit only works when the total size of the html file is 4096 bytes or higher, hence the padding, although there have been some rumours of some modified payload where this it’s not necessary.

Other Attack Vectors

According to this Twitter post , a simple wget or Invoke-WebRequest request from PowerShell to the attacker server also has the same result. This has been verified to be working by us (you might get an `Internet Explorer(IE) Engine not available` error, just launch IE once to get around). Judging by the nature of the attack, there might be other attack vectors which are still unknown.

Mitigations

As of now there is no patch for this vulnerability by Microsoft. You can follow these guidelines to stay safe -

Checkout Microsft's advisory for similar instructions and update your OS as soon as some patch from Microsoft is up!

Leverage subscription service to stay ahead of attacks

Keysight's Application and Threat Intelligence (ATI) Subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Centre continuously checks threats as they appear in the wild and has released a strike for the Follina Exploit as part of BreakingPoint System’s recent update 2022-12 with multiple variations of the attack to help keep your network secure. More information is present here.

The following image shows screenshots of the CVEs as a strike in BreakingPoint System:

limit
3