New zero-day code execution vulnerability in MS Office - Follina
Written by Aarush Ahuja
Co-founder @ FourCore
New MS Office zero-click code execution vulnerability
On 27th May, 2022 nao_sec on twitter reported a malicious Word document on VirusTotal submitted from an IP Address in Belarus. The document performs command execution on a target even though the document is a .docx and does not contain any macros!
MS Office Template Injection
Template Injection is a known technique and has been used by threat actors to execute malicious code via macros in many cases including APT28 and Lazarus Group. .docx, .xlsx and .pptx are essentially zip files containing Office Open XML (OOXML) documents to define the document. The OOXML spec also allows accessing templates and other resources from public URLs, in this case the template was an HTML file hosted on a webserver. The technique can also be applied to .rtf to perform similar template injection. These remote templates can be loaded from SMB or HTTP servers.
Previous payloads have been focused on retrieving remote payloads with macros to be executed by Word or other Office products. Malicious macros are quickly detected and execution is prevented by endpoint security solutions. Most vendors should aptly detect and prevent any template injection with macros and code execution on a protected system. Not in follina's case though.
Follina Code Execution
The MSDT URL in the Follina payload above creates a new troubleshooting pack which executes a base64-ecoded powershell script.
Microsoft Support Diagnostic Tool (msdt)
MSDT or Microsoft Support Diagnostic Tool is a legitimate tool used for collecting information from a system and sending the information to Microsoft Support. It has support for executing various commands and Office products (Word, Excel, Powerpoint) support ms-msdt URL schemes. You can read more about MSDT here and the various arguments it supports.
Word's protected view does prevent zero-click code execution, however, using RTF even allows execution without opening the document from the preview pane.
Detecting Follina Code Execution with Word
As of 30th May, the free version of Windows Defender does not detect the code execution behaviour as malicious yet. However, the original payload submitted on VirusTotal gets detected by the enterprise Defender of Endpoint offering.
The detections are focused on detecting anomalous child process creation from Office processess winword.exe, powerpnt.exe, excel.exe and the subspawned MSDT process msdt.exe and sdiagnhost.exe which in actual cases should never happen.
The scope of the vulnerability seems to be pretty wide with various researchers confirming successful exploitation on recent Office 365 releases, Office 2013, 2016, 2021 and Office Pro Plus.
Mitigate the Follina vulnerability
Microsoft would have to releases patches for Office products. However, removing the ms-msdt scheme handler is an effective mitigation which prevents this vulnerability.