Follina: Incident Response
Follina or known and listed as CVE-2022–30190 is one of latest famous vulnerability that revealed on May 2022. This vulnerability affect microsoft office document that bring malicious html as external link and goes to execute powershell code to take over the system.
More insight i got when try to solve one of btlo challenge about this vulnerability, act like an incident responder is cool. Given the real sample of this vulnerability called sample.doc. To expand the knowledge about this case, we need to get more intelligence by search something related with this file. First easiest way is by checking the hash and submit in some threat intelligence like virustotal.
Then we got so much information there. It’s happen because the threat already famous and patched so we can get information in fast way. The other way is we can did our analysis with your own build up lab to analysis the file. Back to the source, we found that the file is an Office Open XML(OOXML).
According to the first paragraph explained, this document file call an external html link. From this sample we get the link called by this file ( https://www.xmlformats(.)com/office/word/2022/wordprocessingDrawing/RDF842l.()html)
The link we got from an XML file from this document sample. It located in _rels sub directory: word/_rels/document.xml.rels. And more information we got about this vulnerability such like how it work actually. This is how the attack happen
- The sample.doc unzipped
- The target attribute of oleObject will be replaced with the malicious html
- The file zipped and saved as DOCX, DOC, or RTF.
- This file is what the target have
- Serve the html file on internet.
- The HTML must be at least 4096 bytes as mentioned by a security researcher
- The code should contain in $() to PowerShell to execute it.
Netbysec blog show the scheme of the attack shown in this picture below
This vulnerability rely on msdt program on windows, or called Microsoft Support Diagnostic Tools that help users bycollect information and send it to Microsoft team to analyzed and solve it. A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.
If we see through the process, the system will catch this process as new process. From this we can give more attention on Microsoft 4688 event ID that can we learn more here. After the document executed(opened) new process created with WINWORD.EXE as parent proccess and msdt.exe as the child process. The other source also capture this process shown below
According to the process that happen. This attack need to execute malicious code use powershell to take over the system. From this process we can pull the red thread with the mitre technique T1059(Command and Scripting Interpreter: Windows Command Shell).
How to mitigate?
The first way to get more secure is to update your os patch soon. According to the Microsoft support, you can disable the MSDT URL Protocol, disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. And because this not full disabling the MSDT, the troubleshoot process still going. And the other way is use the Microsoft Defender Antivirus(MDAV, MDE, MDO) that will help to detect this attack. More detail about this can be read here.
Thanks to BTLO to provide this challenge, and learn a lot about this. Feel free to correct me if there is a mistake.
References: