“Follina”, or CVE-2022-30190 is a widely used exploit that allows an attacker to remotely execute Powershell code on Windows machines from a Microsoft Word document or a URL.
What it does
Follina can do anything the attacker desires. Follina is a remote-code execution scheme, which means that a hacker can run any code the hacker wants on your machine without your knowledge. Some examples include lateral movement, privilege escalation, and the ability to steal browser credentials.
How it works
Follina takes advantage of URL protocols. URL protocols are used to run applications from a URL. Many people let this happen, mainly because URL protocols are not supposed to invoke code from applications. For example, if you are on a Windows machine, and you type “ms-calculator://” into the address bar, Windows should launch the calculator. However, the specific URL protocol Follina takes advantage of is “ms-msdt://”. This will launch the Microsoft Support Diagnostics Tool, which is mainly used by support professionals to gain information about your system. If you put some special parameters into the URL though, you can trick the program into running Powershell code, and sending the results to the hacker.
How it was discovered
The thing about Follina is that it was first discovered early-to-mid April of 2022 by someone who goes by the name of “crazyman” as part of the Shadow Chaser Group. However, Microsoft dismissed the threat, stating that it is not a security issue.
It says pic.twitter.com/Z2AN7nq6hr
— crazyman_army (@CrazymanArmy) May 30, 2022
The support representative stated that his sample did not work at his lab. MSDT requires a password on startup, but the original script had enough junk and padding to make this file over 4096 bytes, and according to my tests and speculations, MSDT will only open if the exploiting file is over 4096 bytes. Also, this can be exploited through Rich Text Documents and URLs or URL shortcuts, not just Word documents. Another reason that this is a dangerous threat is that, when saved as a Rich Text file, simply navigating to it and opening it up in the preview pane in File Explorer could trigger the execution, meaning that you don’t even have to open the file for the code to be invoked.
However, this file was only brought to the community’s attention when a Twitter user by the name of “nao_sec”, was looking for documents on VirusTotal using an older exploit, CVE-2021-40444, found this document and alerted the community about it.
Interesting maldoc was submitted from Belarus. It uses Word’s external link to load the HTML and then uses the “ms-msdt” scheme to execute PowerShell code.https://t.co/hTdAfHOUx3 pic.twitter.com/rVSb02ZTwt
— nao_sec (@nao_sec) May 27, 2022
How to protect yourself
Because Follina is a zero-day exploit, there is no guaranteed patch. There is one solution that Microsoft acknowledged. The solution disables the “ms-msdt://” URL protocol.