New zero-day code execution vulnerability in MS Office - Follina

Written by Aarush Ahuja
Co-founder @ FourCore
follina zero-day vulnerability

New MS Office zero-click code execution vulnerability

On 27th May, 2022 nao_sec on twitter reported a malicious Word document on VirusTotal submitted from an IP Address in Belarus. The document performs command execution on a target even though the document is a .docx and does not contain any macros!

MS Office Template Injection

Template Injection is a known technique and has been used by threat actors to execute malicious code via macros in many cases including APT28 and Lazarus Group. .docx, .xlsx and .pptx are essentially zip files containing Office Open XML (OOXML) documents to define the document. The OOXML spec also allows accessing templates and other resources from public URLs, in this case the template was an HTML file hosted on a webserver. The technique can also be applied to .rtf to perform similar template injection. These remote templates can be loaded from SMB or HTTP servers.

Previous payloads have been focused on retrieving remote payloads with macros to be executed by Word or other Office products. Malicious macros are quickly detected and execution is prevented by endpoint security solutions. Most vendors should aptly detect and prevent any template injection with macros and code execution on a protected system. Not in follina's case though.

Follina Code Execution

The Follina vulnerability uses the Word Remote Template feature to retrieve a HTML Template from a remote URL. This template contains javascript code to redirect the page to a ms-msdt:/ URL. In Jan 2022, SySS Tech covered the various URL protocols supported by MS Office. Kevin Beaumont covers the Follina issue in detail.

Follina Document Payload
Follina Vulnerability MSDT URL Payload reported by nao_sec

The MSDT URL in the Follina payload above creates a new troubleshooting pack which executes a base64-ecoded powershell script.

Microsoft Support Diagnostic Tool (msdt)

MSDT or Microsoft Support Diagnostic Tool is a legitimate tool used for collecting information from a system and sending the information to Microsoft Support. It has support for executing various commands and Office products (Word, Excel, Powerpoint) support ms-msdt URL schemes. You can read more about MSDT here and the various arguments it supports.

Word's protected view does prevent zero-click code execution, however, using RTF even allows execution without opening the document from the preview pane.

Detecting Follina Code Execution with Word

As of 30th May, the free version of Windows Defender does not detect the code execution behaviour as malicious yet. However, the original payload submitted on VirusTotal gets detected by the enterprise Defender of Endpoint offering.

Kevin Beaumont has published a Defender for Endpoint query which can be used for detection and a Sigma rule has been updated to cover the Follina vulnerability.

The detections are focused on detecting anomalous child process creation from Office processess winword.exe, powerpnt.exe, excel.exe and the subspawned MSDT process msdt.exe and sdiagnhost.exe which in actual cases should never happen.

The scope of the vulnerability seems to be pretty wide with various researchers confirming successful exploitation on recent Office 365 releases, Office 2013, 2016, 2021 and Office Pro Plus.

Mitigate the Follina vulnerability

Microsoft would have to releases patches for Office products. However, removing the ms-msdt scheme handler is an effective mitigation which prevents this vulnerability.

1reg delete hkcr\ms-msdt /f

UPDATE: Another mitigation is to disable Troubleshooting Wizards completely via GPO.

You can also run the following command with an admin prompt to set the EnableDiagnostics key to 0 disabling Microsoft Troubleshooter.

1reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics /f /v EnableDiagnostics /d 0