SANS Emergency Webcast

At 5 pm on Monday, May 30, 2022, EDT, SANS, the world's largest cybersecurity research and training organization held a rare emergency webcast.  Prior emergency webcasts have covered only the most paramount cybersecurity events such as the Russia-Ukraine cyberwar, the Colonial Pipeline, and SolarWinds cyber-events.  When there is a SANS Emergency Webcast, rest assured there must be an urgent cybersecurity intelligence advisory on the horizon, and in fact, CISA also released a national cybersecurity advisory today. The webcast outlined a vulnerability in Microsoft Office dubbed "Follina" which can be exploited via the ms-msdt protocol scheme.  The protocol is used to invoke the Microsoft Support Diagnostic Tool (MSDT) from within a Windows application.  However, a public tweet released on May 27, 2022, disclosed that the ms-msdt protocol scheme could be used to poison a Microsoft Word document to achieve arbitrary code execution on a victim's computer.   

On Tuesday, May 31, 2022, Microsoft released temporary mitigation guidance for immediate protection until the software company can release a patch update. The advisory includes workaround options that should be applied to all versions of Windows since 2007.

Why Such a Big Fuss?

The vulnerability is considered trivial to exploit, allows arbitrary code execution, has been observed being used in the wild, and has publicly available proofs-of-concept (POC) available.  The vulnerability can be exploitable even with Office VBA macros turned off, greatly increasing the scope of potential victims. Although many security teams may already be aware that VBA macros pose the threat of arbitrary code execution and have disabled them, those preventative measures will not protect against Follina.  

As of July 1, 2022, MITRE has not been officially assigned Follina a CVSS score, however, according to Microsoft's security advisory it would have a CVSS v3 base score of 7.8 and a temporal score of 7.3.  Although this vulnerability does not meet the criteria to score 9.0 or above to be considered severely critical, it is only spared that rating because it cannot be exploited remotely, and does not offer elevation of privileges beyond the exploited Office application's scope.  

This is really not much of a saving grace, however, since phishing attachments that leverage Follina have already started popping up on the global cyber-threat intelligence (CTI) radar, and numerous Windows privilege escalation flaws already exist meaning that attackers are attempting to get the exploit into organization's networks and if successfully executed there are many potential options for elevating privileges.  

The expectation is that this vulnerability will be used successfully in phishing attacks against unpatched systems until a patch is released by Microsoft and auto-installed via Windows 10.

First Exploitation of Follina Seen in the Wild

The vulnerability was first exposed in a Tweet on May 27, 2022, by @nao_sec regarding a file discovered on VirusTotal capable of exploiting the Microsoft Office application.  The document contained a malicious URL pointing to an external resource that, when loaded, was capable of executing an attacker-supplied payload.  

The cybersecurity community quickly jumped on the disclosure and several POCs have already been released including a .docx file generation POCs for Python [1], and [2] and a poisoned HTML document POC. Since exposure, the global cybersecurity researchers have been hot on the trail of Follina, and have tracked it back to active exploits collected in April.

Technical Description Of The Vulnerability

The Follina exploit flow follows the following pattern:

1. After opening a poisoned Microsoft Office document, an external payload is fetched from an embedded http:// web-resource.  

2. The fetched web resource contains malicious JavaScript code snippet that invokes a link prepended with a ms-msdt:/ protocol scheme and specially crafted ms-msdt protocol parameters instead of a typical https:// scheme used to call regular web resources.

3. The MS Office application opens the ms-msdt:/ resource link with the associated MSDT application msdt.exe.

4. The specially crafted ms-msdt:/ parameters force the execution of a payload script embedded in the link to be decoded and executed under the context of the Microsoft Office application used to open the document. 

The malicious MS Word specs will load resources from www[.]xmlformats[.]com when its opened

The fetched HTML document contains ms-msdt:/ protocol scheme with a base64 encoded PowerShell payload

msdt.exe is typically used to collect information and report system crashes to Microsoft Support. However, Folina exploits this feature to automatically process the MSDT URL and execute arbitrary commands and has the capability to execute Powershell.

The attack also leverages some crafty parameterization to achieve a non-interactive attacker-supplied code execution by using the /skip and force options and decodes a base64 encoded PowerShell payload and executes it.

Emergency Mitigation Techniques

VirusTotal's information about one variant of Folina assigns a community score of 33/60 (as of June 1, 2022) due to a low existing detection rate by popular antivirus engines, but the following YARA rule provided by a SANS threat researcher allows rule-based identification of malicious documents attempting to leverage Folina.

Perhaps most importantly, Microsoft has published a temporary workaround for the Follina vulnerability that prevents successful attacks via known vectors. It is suspected that additional attack vectors using the ms-msdt:/ protocol are exposed in Windows.  

The officially prescribed fix is to disable the MSDT protocol altogether. The steps for mitigation are as follows:

1. Search for the cmd application, right-click on the icon and click "Run asadministrator".

2. Authenticate if necessary

3. Execute "reg export HKEY_CLASSES_ROOT\ms-msdt filename" to save a copy of the registry key

4. Execute "reg delete HKEY_CLASSES_ROOT\ms-msdt /f" to delete the MSDT registry key.

In the case that MSDT is required and cannot be completely disabled, Microsoft Defender Antivirus can be configured by turning on cloud protection to fetch real-time updates and  Microsoft Defender for Endpoint can be configured to block MS Office from spawning any child processes by enabling the “BlockOfficeCreateProcessRule” rule.