Scroll to top

Get In Touch
541 Melville Ave, Palo Alto, CA 94301,
Ph: +1.831.705.5448

Work Inquiries
Ph: +1.831.306.6725

Detect the Follina MSDT Vulnerability (CVE-2022-30190)

Security researchers found the vulnerability in Microsoft document. In Which attacker can tact victim to open up a malicious word document which results attacker to execute the code on Victim System.

Affected Product(MSDT(Microsoft Windows Support Diagnostic Tool)):

Microsoft Windows Support Diagnostic tool collects information and send it to Microsoft when something goes wrong with windows.

CVE 2022-30190 affects MSDT, It is called by other applications(MS office) with a special URL. If the attacker exploits it successfully then he may get RCE on Victim Machine. This Vulnerability affects all of the windows family.

Understanding Exploit:

First of all, we have to unzip the malicious doc file.

Now open the document.xml.rels file under word/_rels location.

We found the external reference to attacker IP. Let’s see the content of index.html!

Html Payload Start with Script tag. Using a schema for ms-msdt, the native package PCWDiagnostic is invoked with the parameters IT_BrowseForFile which includes PowerShell syntax embedded within $().

Now we see the Base 64 Encoded script. Let’s decrypt it using the Cyber Chef tool.

This script downloads the nc.exe from John Hammond GitHub page on the Victim machine and saves the output as nc.exe after that force cmd to execute and gave the RCE to Attacker.

How To Protect

There is two ways to protect Our self from MSDT vulnerability:

1. Disable MSDT URL Protocol to do this we need to run (reg delete HKEY_CLASSES_ROOTms-msdt /f). But before using please take the back up of registry.

2. Use Microsoft ASR(Attack Surface Reduction) Rules activate the rule “Block all Office applications from creating child processes” in Block mode will prevent this from being exploited

Microsoft Official Fix:

Microsoft has released Security Updates for (CVE 2022-30190) Which can lead an attacker to get Remote Code Execution on Victim Machine.

Microsoft says customers are highly advised to apply the updates in order to be fully protected against the vulnerability. Customers that have their systems set up to get automatic updates do not need to do anything else.

Author avatar

Post a comment

Your email address will not be published. Required fields are marked *