Mysterious “Folina” Zero-Day Hole in the Office – What to Do Here!


News of a zero-day remote code execution bug in Microsoft Office hit the internet.

More explicitly, perhaps, it is a code execution security hole that can be exploited through Office files, although we know that there may be other ways to trigger this vulnerability or abuse.

Security researcher Kevin Beaumont has done It provided With a completely arbitrary name FolinaAnd given that it still doesn’t seem to have an official CVE number [2022-05-30T21:00Z]This name appears to be set to stick and a useful search term

(Update. Microsoft has assigned the identifier CVE-2022-30190 This bug, and Published A public consultation about it [2022-05-22T06:00Z].)

The name “Follina” is made from the fact that there is a sample Infected Word DOC file The virus goes by the name of Total 05-2022-0438.doc. Numerical order 05-2022 Sounds pretty obvious (May 2022), but what will happen? 0438? This could be the telephone dialing code for the Folina area, not just away from Venice in northwestern Italy, so Beaumont applied the name “Folina” for exploitation as an arbitrary joke. There is no suggestion that the malware came from that part of the world or that there was in fact any Italian connection to the exploitation.

How does it work?

To put it mildly, exploitation works like this:

  • You open a booby-trapped DOC fileProbably received via email.
  • The document mentions a regular-happiness https: URL That is downloaded.
  • This https: URL refers to an HTML file Which contains some weird-looking JavaScript code.
  • That JavaScript specifies a URL With abnormal identifiers ms-msdt: In its place https:.
  • In Windows, ms-msdt: A proprietary URL type Which launches the MSDT software toolkit.
  • MSDT is shorthand For Microsoft Support Diagnostic Tool.
  • Command line provided in MSDT This causes the URL to run invalid code.

When summoned, corrupted ms-msdt: Triggers the MSDT utility with the link command line argument: msdt /id pcwdiagnostic ....

If hand operated without any other parameters, it automatically loads MSDT and invites Program compatibility problem solverWhich, of course, made the video an overnight sensation.

From here, you can choose an app for troubleshooting; You can answer a bunch of support-related questions; You can do various automatic checks in the app; And if you’re still stuck, you can choose to report the problem to Microsoft by uploading different troubleshooting data at the same time.

Although you probably don’t expect to be thrown into it PCWDiagnostic Utility By simply opening a document, you will see at least a series of popup dialogs and you will be able to choose what to do at each step along the way.

Automatic remote script execution

Unfortunately, it seems that the attackers invented the “Folina” tactic (or, more precisely, the attackers who seem to have used this tactic in various attacks in the past month, even if they did not figure it out themselves). MSDT is a series of unusual but treacherous alternatives to the command line.

These options force the MSDT troubleshooter to work under remote control.

Instead of asking how you want to proceed, the rogue has created a set of parameters that will not only cause the operation to proceed automatically (e.g. options) /skip And /force), But along the way to summon a PowerShell script.

Worse, this PowerShell script does not already have to be on a disk file – it can be supplied in the form of scrambled source code. The command line itself is rightIncluding all other options used.

In this case, PowerShell was used to extract and launch a malware executable that was supplied in a compressed form by crooks.

John Hammond, a threat researcher at Huntress, confirms that by launching CALC.EXE to “pop the calculator”, anything already executable on the computer Direct load Even by this trick, so an attacker can use existing tools or utilities, perhaps not relying on a more dubious method of launching a PowerShell script along the way.

No macros required

Note that this attack was triggered by miscreants by word reference ms-msdt: URL that is specified by a URL that is in the DOC file

No. Visual Basic for Applications (VBA) involves office macros, so this strategy works Even if your office macro is completely closed.

Simply put, it looks like you can say a convenient office URL “feature”, combined with a helpful MSDT diagnostic “feature”, to create an abusive security hole that could lead to exploitation of a click-and-get-remote code execution. .

In other words, just opening a booby-trapped document can deliver malware to your computer without your knowledge.

In fact, John Hammond writes that this strategy could be turned into one More direct attacks, Packages malicious content into an RTF file instead of a DOC file. In this case, he says, previewing the document in Windows Explorer is enough to trigger exploitation, even without clicking to open it. Simply rendering the thumbnail preview pane is enough for a trip to Windows and Office.

What do you do?

Convenient as owned by Microsoft ms-xxxx URLs may be designed to automatically trigger processes when opening certain types of files, or even just appear as a preview, obviously a security risk.

A solution that was quickly agreed upon in the community and has been since Officially approved By Microsoft, only the relationship between broke up ms-msdt: URL and MSDT utility.

This means that ms-msdt: The URL no longer has any special significance, and cannot be used forcibly MSDT.EXE To run.

You can make this change by removing the registry entry HKEY_CLASSES_ROOT\ms-msdt, If it exists. (If it’s not there, you’re already protected by this solution.)

If you create a file with a name ending .REG Containing this text …

Windows Registry Editor Version 5.00


You can double click .REG Offensive entry to remove file (minus sign means “delete”).

You can also browse HKEY_CLASSES_ROOT\ms-msdt In REGEDIT Utility and Injury [Delete].

Or you can run the command: REG DELETE HKCR\ms-msdt.

Note that you need administrator privileges to modify the registry in this way.

If you discover that you can’t live without it ms-msdt URL, you can always replace the missing registry data later.

To back up HKEY_CLASSES_ROOT\ms-msdt Registry key, use the command: REG EXPORT HKEY_CLASSES_ROOT\ms-msdt backup-msdt.reg.

To recover deleted registry keys later, use: REG IMPORT backup-msdt.reg.

Just for the record, we never saw it ms-msdt Before the URL, let’s rely on one, so we had no hesitation in deleting this registry setting on our own Windows computer.

HKCR \ ms-msdt “before” status of registry entry,
If you delete it you will need to rebuild it.

How Sophos products detect and report these attacks

  • Sophos Endpoint products can detect and block known attacks conducted through this exploit Troj / DocDl-AGDX. You can use this identification name to search your logs for both DOC files that trigger the original download and for HTML “second stage” files that follow.
  • Sophos Endpoint products can detect and block attempts to trigger this exploitation Exec_39a (T1023). These reports will be displayed in your logs against the program MSDT.EXE In the system folder.
  • Sophos email and web filtering products prevent these types of attack files CXmail / OleDl-AG.

Source link