Follina - Windows Zero Day

Windows Zero Day : Follina 

May 27th 2022, Nao_sec identified an odd looking Word document in the wild, uploaded from an IP address in Belarus.

This turned out to be a zero day vulnerability in Office and/or Windows.

The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell.

There’s a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled. Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View.

This document directly exploits Follina vulnerability. It was reported to Microsoft, who decided it wasn’t a security issue (see timeline below).

Here is Follina being exploited, to an unknown payload:

Hash : d61d70a4d4c417560652542e54486beb37edce014e34a94b8fd0020796ff1ef7

MS-MSDT "Follina" Attack Vector

git clone https://github.com/JohnHammond/msdt-follina $ python3 follina.py [+] copied staging doc /tmp/9mcvbrwo [+] created maldoc ./follina.doc [+] serving html payload on :8000

python3 follina.py -c "notepad" python3 follina.py -r 9001

Mitigation / How do I stay secure?

Microsoft has published a list of all affected products as part of their Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability security update guide. Australian users of any of the affected products should ensure all relevant patches are installed as soon as possible.