doublepulsar.com
Open in
urlscan Pro
52.1.119.170
Public Scan
Submitted URL: https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
Effective URL: https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e?gi=756d9d12c205
Submission: On June 08 via api from DE — Scanned from DE
Effective URL: https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e?gi=756d9d12c205
Submission: On June 08 via api from DE — Scanned from DE
Form analysis
0 forms found in the DOMText Content
Open in app Sign In Get started Home Notifications Lists Stories -------------------------------------------------------------------------------- Write RESPONSES (7) What are your thoughts? Cancel Respond Also publish to my profile There are currently no responses for this story. Be the first to respond. Published in DoublePulsar You have 2 free member-only stories left this month. Sign up for Medium and get an extra one Kevin Beaumont Follow May 29 · 9 min read · Listen Save FOLLINA — A MICROSOFT OFFICE CODE EXECUTION VULNERABILITY Two days ago, on May 27th 2022, Nao_sec identified an odd looking Word document in the wild, uploaded from an IP address in Belarus. This turned out to be a zero day vulnerability in Office and/or Windows. This caught my attention, as Defender for Endpoint missed execution: The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell. That should not be possible. That code does this, when decoded: There’s a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled. Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View. Most importantly, we need to name this and give it a crap logo: The official Follina vulnerability logo, carefully made in Microsoft Paint I’m calling it Follina because the spotted sample on the file references 0438, which is the area code of Follina in Italy. IN ENGLISH, SO WHAT It’s a zero day allowing code execution in Office products. Historically, when there’s easy ways to execute code directly from Office, people use it to do bad things. This breaks the boundary of having macros disabled. Vendor detection is poor. ADDITIONAL IN THE WILD SAMPLES Over a month ago (back in April 2022), a file themed “invitation for an interview” with Sputnik Radio targeting a user in Russia, was uploaded to VirusTotal. This document directly exploits Follina vulnerability. It was reported to Microsoft, who decided it wasn’t a security issue (see timeline below). Here is Follina being exploited, to an unknown payload: Also in April, there is another Russia themed document exploiting Follina: Hash fe300467c2714f4962d814a34f8ee631a51e8255b9c07106d44c6a1f1eda7a45 And another even earlier Follina themed document, this one attempting to lure a victim using sexual misconduct allegations: Hash d61d70a4d4c417560652542e54486beb37edce014e34a94b8fd0020796ff1ef7 Since this writeup post went live, Proofpoint report Chinese threat actor TA413 is also exploiting this vulnerability: SCOPE I’ve tested this on various rigs and it works more common than not. For example, here is Windows 10, not local admin, with macros fully disabled, with Defender, with Office 365 Semi-Annual Channel, casually popping calc on open of a Word document: However, with the Insider and Current versions of Office I can’t get this to work — which suggests Microsoft have either tried to harden something, or tried to fix this vulnerability without documenting it. This appears to have happened around May 2022. Another entirely possible option is I’m too much of an idiot to exploit it on those versions, and I’ve just messed something up. Update: the vulnerability appears exploitable using .RTF files on all versions of Office 365, including current channel. The vulnerability has been proved in Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365. It also applies to Windows itself, e.g. it can be called from .lnk files — effectively there are two different issues in my opinion, Office itself using MS Protocol and allowing loading unfiltered from HTML Word templates and Outlook links, and MSDT allowing code execution. Rich still sees it working in Office Pro Plus from April, with a little video: Didier Stevens demonstrates the exploit working on a patched version of Microsoft Office 2021: Office 2019 with latest patches is also vulnerable: DETECTION DEFENDER FOR ENDPOINT I’ve written a Defender for Endpoint query, which you can use if you’re rich and have E5. You can save this as under “Custom detection rules” if you want Defender to alert you. Currently it fully misses detection at this stage. THREATHUNTING/FOLLINA-OFFICE.AHQ AT MASTER · GOSSITHEDOG/THREATHUNTING YOU CAN'T PERFORM THAT ACTION AT THIS TIME. YOU SIGNED IN WITH ANOTHER TAB OR WINDOW. YOU SIGNED OUT IN ANOTHER TAB OR… github.com > DeviceProcessEvents| where ProcessCommandLine contains “msdt.exe”| where > InitiatingProcessFileName has_any (@”WINWORD.EXE”, @”EXCEL.EXE”, > @”OUTLOOK.EXE”) TRELLIX SIGMA AND AURORA LITE NON-MALICIOUS PROOF OF CONCEPTS Antivirus providers will probably start blocking these as malicious (they aren’t) but here’s a public PoC .docx. https://app.box.com/s/9oz1r90tzs7bstl0xy3zzfc8m92cqhcu Here’s a GitHub repo to make a PoC: Note that there’s different ways to trigger this, and I’ve seen some researchers with PoCs that don’t work as they don’t load the remote template at all. TEMPORARY MITIGATIONS Will has a suggestion — remove the ms-msdt URI schema registry key (requires local administator rights). You can do this via Group Policy Preferences, also. Update: Microsoft have issued a mitigation on May 30th 2022 which is essentially the same: > Run Command Prompt as Administrator. > > To back up the registry key, execute the command “reg export > HKEY_CLASSES_ROOT\ms-msdt filename“ > > Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”. A Group Policy mitigation for MSDT element, which is really good and easy to deploy: Put simply: Group Policy Editor -> Computer Configuration -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Scripted Diagnostics Set “Troubleshooting: Allow users to access and run Troubleshooting Wizards” to “disabled” HOW MIGHT THIS EVOLVE? We’ll see. Microsoft are going to need to patch it across all the different product offerings, and security vendors will need robust detection and blocking. Microsoft will probably point towards Protected View, however Protected View also applies by default to all macros, and Office macro malware is most definitely a major problem regardless. Update: Microsoft have indeed pointed to Protected View, saying it “prevent” the attack. I think this is stretching the truth — for example, if the document is a .RTF file and is opened Preview in Explorer, Protected View doesn’t apply and it becomes a zero click exploit. Microsoft know this, they just aren’t mentioning it to customers. Additionally, you can use MS Protocol URI schemes in Outlook emails. Detection is probably not going to be great, as Word loads the malicious code from a remote template (webserver), so nothing in the Word document is actually malicious. OTHER ISSUES As a side note, the attack surface of MS Protocol in Office is extremely large — here’s a prior blog on it: ABUSING THE MS OFFICE PROTOCOL SCHEME DURING A RESEARCH PROJECT, SYSS IT SECURITY CONSULTANT MATTHIAS ZÖLLNER FOUND OUT THAT IN A STANDARD INSTALLATION OF… blog.syss.com As an example, you can send an email with this text as a hyperlink: ms-excel:ofv|u|https://blah.com/poc.xls And Outlook will gladly let the user click the hyperlink and open the Excel document. You can even change the text to be something friendly, like “Invoice”. Because the document isn’t attached to the email, and the URI doesn’t start with http or https, most email gateways are going to let that sucker straight through as nothing appears malicious. ….and, when you look at the default Windows URI schemes that Office is allowing, there’s a lot of, er, interesting things. Microsoft probably want to tighten up webpages embedded as remote templates in Office from loading so many URIs, and also Outlook probably needs another hardening pass. All just my opinions, as always. Obviously, they also need to tidy up MSDT itself — but it’s not the only OS application shipping like that. IS IT A ZERO DAY? 100%. It is in the wild attacks for well over a month, targeting known orgs in two countries (Russia and India), without a patch. Microsoft aren’t calling it a zero day in the MSRC post, and they haven’t put it as a zero day in Microsoft Defender Vulnerability Management. Keep in mind they own MSDT, Office and Defender. Update: Microsoft are now classifying it as a zero day within Microsoft Defender Vulnerability Management. TIMELINE August 1st 2020 — A bachelor thesis is published detailing how to use MSDT to execute code: It contains a bunch of other ways to execute code via MS Protocol in Word, using templates, which still work now. March 10th 2021 — researchers report to Microsoft how to use Microsoft Office URIs to execute code using Microsoft Teams as an example. Microsoft fail to issue a CVE or inform customers, but stealth patched it in Microsoft Teams in August 2021. They did not patch MSDT in Windows or the vector in Microsoft Office. (Link) March 2022 — another blog is published highlighting using MSDT to execute code. (Link) April 12th 2022 — first report to Microsoft MSRC of exploitation in wild via MSDT, by leader of Shadowchasing1, an APT hunting group. This document is an in the wild, real world exploit targeting Russia, themed as a Russian job interview. April 21st 2022 — Microsoft MSRC closed the ticket saying not a security related issue (for the record, msdt executing with macros disabled is an issue): May ?? 2022 — Microsoft may have tried to fix this or accidentally fixed it in Office 365 Insider channel, without documenting a CVE or writing it down anywhere. The other Office products remain vulnerable. May 27th 2022 — Security vendor Nao tweet a document uploaded from Belarus, which is also an in the wild attack. May 27th 2022 — reported back to MSRC. May 29th 2022 — I identified this was a zero day publicly as it still works against Office 365 Semi Annual channel, and ‘on prem’ Office versions and EDR products are failing to detect. May 30th 2022 — We’re trying to crowdsource how to protect against this vulnerability/vulnerabilities. May 30th 2022 evening — Microsoft allocate CVE-2022–30190 (no patch yet) and publish a blog. Defender antivirus and EDR signatures go live. May 31st 2022 — Microsoft classify this a zero day in Microsoft Defender Vulnerability Management: May 31st 2022 — CISA advisory released: June 2nd 2022 — minor edit to this post. June 7th 2022 — There is no patch. Microsoft have updated their MSRC post and added an FAQ entry, which talks about how a Group Policy mitigation doesn’t work. They are not talking about the Group Policy mitigation in this blog, which works fine. It is unclear how the one in the MSRC blog is a Frequently Asked Question, considering it isn’t listed online anywhere I can find — it is also unclear why the Group Policy change in this blog isn’t mentioned, since it is the easiest to implement mitigation. June 7th 2022 — Qakbot are now exploiting Follina in Word documents, via today’s email runs. I would strong recommend organisations implement mitigations as soon as possible. https://twitter.com/1ZRR4H/status/1534259727059787783/photo/2 FURTHER READING https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug Stay safe, ~g 309 7 309 309 7 SIGN UP FOR CYBERSECURITY THREAT CONTEXT AND RESPONSE BY DOUBLEPULSAR Cyber Threat Content and Response, from porgs, direct to your email box. Take a look. Get this newsletter MORE FROM DOUBLEPULSAR Follow Cybersecurity from the trenches, written by Kevin Beaumont. Opinions are of the author alone, not their employer. Kevin Beaumont ·May 7 BPFDOOR — AN ACTIVE CHINESE GLOBAL SURVEILLANCE TOOL Recently, PwC Threat Intelligence documented the existence of BPFDoor, a passive network implant for Linux they attribute to Red Menshen, a Chinese threat actor group. You can read more in PwC’s great, yearly threat intelligence brief, here. PwC plan to present their findings in June: BPFDoor is interesting. It… Bpfdoor 3 min read -------------------------------------------------------------------------------- Share your ideas with millions of readers. Write on Medium -------------------------------------------------------------------------------- Kevin Beaumont ·Aug 21, 2021 MULTIPLE THREAT ACTORS, INCLUDING A RANSOMWARE GANG, EXPLOITING EXCHANGE PROXYSHELL VULNERABILITIES For nearly a month, I have been watching mass in the wild exploitation of ProxyShell, a set of vulnerabilities revealed by Orange Tsai at BlackHat. These vulnerabilities are worse than ProxyLogon, the Exchange vulnerabilities revealed in March — they are more exploitable, and organisations largely haven’t patched. This post goes… Proxyshell 7 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Jul 20, 2021 #HIVENIGHTMARE AKA #SERIOUSSAM — ANYBODY CAN READ THE REGISTRY IN WINDOWS 10 This is the story of how all non-admin users can read the registry — and so elevate privileges and access sensitive credential information — on various flavours of Windows 10. It appears this vulnerability has existed for years, and nobody noticed. In this post I made an exploit to test… Cybersecurity 4 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Jul 2, 2021 KASEYA SUPPLY CHAIN ATTACK DELIVERS MASS RANSOMWARE EVENT TO US COMPANIES Kaseya VSA is a commonly used solution by MSPs — Managed Service Providers — in the United States and United Kingdom, which helps them manage their client systems. Kaseya’s website claims they have over 40,000 customers. Four hours ago, an apparent auto update in the product has delivered REvil ransomware. … Cyberattack 8 min read -------------------------------------------------------------------------------- Kevin Beaumont ·Jun 30, 2021 ZERO DAY FOR EVERY SUPPORTED WINDOWS OS VERSION IN THE WILD — PRINTNIGHTMARE zhiniang peng tweeted out a proof of concept exploit and explainer recently, and then quickly deleted it. This exploit and discussion contained an unpatched zero day in all supported and Extended Security Update verrsions of Windows OS. Unfortunately by this had already been forked on Github by then… and… Printnightmare 6 min read -------------------------------------------------------------------------------- Read more from DoublePulsar RECOMMENDED FROM MEDIUM MemePad UPCOMING IDO: GOTEM Interfor Dispatch CYBER SEXTORTION helix id Team in helix id UPDATE — HELIX ID APP Placido Wang WHAT IS PASSWORDLESS LOGIN? Evan SooHoo in Level Up Coding SIMULATING THE LOG4J EXPLOIT TO HACK A SERVER EF1Finance CHARACTERISTICS OF P2P Silvia Masiero in Data & Society: Points GOOD WELFARE, BAD PLATFORMS? ka1d0 THREAT INTELLIGENCE — STE.EXE AboutHelpTermsPrivacy -------------------------------------------------------------------------------- GET THE MEDIUM APP Get started Sign In KEVIN BEAUMONT 3.3K Followers Everything here is my personal work and opinions. Follow MORE FROM MEDIUM Security Lit Limited in InfoSec Write-ups FIREWALL EVASION TECHNIQUES USING NMAP Ethan Siegel in Starts With A Bang! VOYAGER 1 HAS LEFT THE SOLAR SYSTEM. WILL WE EVER OVERTAKE IT? Stefan Grimminck BUILDING A THREAT INTELLIGENCE FEED USING THE TWITTER API AND A BIT OF CODE Christopher P Jones WHEN THE MONA LISA WAS STOLEN Help Status Writers Blog Careers Privacy Terms About Knowable To make Medium work, we log user data. By using Medium, you agree to our Privacy Policy, including cookie policy.