Follina - The Newest and Most Dangerous Zero Day Vulnerability
The world of cyber security is flooded with vulnerabilities. Some are rated as critical, some moderate and some just informational. Usually the critical vulnerabilities have the potential to gain access to the root user of the target victim machine and then perform malicious activities.
The blue team of cyber security works continuously on patching these vulnerabilities to minimize the damage. But every so often such dangerous vulnerabilities come up that shake the core of the technical world and prove a tedious task to get patched.
Today we are going to look at one such vulnerability which was recently discovered and had the potential to do really scary stuff. Let's take a look at Follina, CVE-2022-30190, any victims worst nightmare…
Zero Day Vulnerability
Before we move on to the actual vulnerability let’s understand what a zero day vulnerability is. Basically any vulnerability that is disclosed to the entire world, but not yet patched is known as a zero day vulnerability.
That is in fact why they are called zero day vulnerabilities. Because the analysts have literally “Zero Days” to find a fix before an attacker could exploit.
Zero day vulnerabilities are one of the worst types of vulnerabilities, as these vulnerabilities show up before any security researcher or analyst is even aware of any inklings related to that vulnerability. This in fact makes things a lot tougher, as all zero day vulnerabilities are entirely new to the security analysts and by the time they figure out a way to defend against that, the damage is already done.
A lot of big names have fallen victims to zero the day before, and the effects of these were catastrophic. Think of Yahoo in August of 2013 - more than 3 billion accounts were accessed by attackers and yahoo came clean only in 2016. This proves how much deadly this zero day exploit was, as the patch wouldn’t come before things had gotten out of hand.
Then there’s also LinkedIn in 2021 (very recent). Hackers had managed to scrape data off of 700 million users! The data included email ID’s, passwords, personal details and what not. The hacker group also went out to publicly release the information of 500 million users and threaten to reveal the rest if their demands were not met.
As we can see from above, Zero Day Exploits are the worst nightmare of any security analyst out there, and Follina is one such dangerous exploit - something which in the wrong hands will prove devastating for the entire world.
Origin of Follina
Follina first caught the eyes of nao_sec (on twitter @nao_sec). He tweeted the vulnerability as “interesting” and gave the first brief overview of what it was.
Let’s first break down this tweet and try to understand what is going on. Firstly it mentions how the malware is using MS Word’s external link to load an HTML script. So it isn’t like normal
malware. It is instead a script which is calling malicious malware from somewhere else.
Furthermore the malware uses the “ms-msdt” scheme to execute Powershell code. “Ms-msdt” stands for “Microsoft Support Diagnostic Tool”. The most novel thing about Follina is that it somehow invokes a powershell code from the msdt which in itself is pretty fascinating.
How is Follina exploited?
This is a very straightforward procedure:
First, send the word document (malware) to the victim. The method is your choice, it can be via email, whatsapp etc
The victim opens the document.
That’s it. Basically by just performing the above 2 steps Follina is exploited and the attacker now has access to the victims machine.
As we have previously discussed this doesn’t contain macros. Macros is malware hidden in Microsoft office documents and then executed. But Follina is different. It doesn’t have any hidden malware inside of it - (at least by what we know so far). It instead links externally to a HTML script which in turn executes the exploit.
This is what we call a remote code execution vulnerability.
Now one thing to note here is this - msdt usually prompts for a passkey before running. So how does Follina manage to evade that? This is a general case of buffer overflow. In a buffer overflow we aim to find the size of the buffer, and send data exceeding that size to overflow the buffer and evade the issue.
The byte length for the same buffer was found to be 4096 bytes.
If we take a look at the HTML file which was called by the malicious document we can see a bunch of characters ‘A’. This is infact done to overflow the buffer (by making the file size over 4096 bytes in length) and evade the passkey issue of msdt.
a
The latter part of the code consisted of the a bunch of base64 encoded characters.
After decoding the base64 string we got:-
Upon closer inspection one can notice that the beginning of this seems to be similar to a Microsoft CAB file. [A CAB file is a windows cabinet file that stores all the installation data].
Also notice the highlighted part. There is some sort of executable file by the name of rgb.exe. For the time being the exact working and goal of the rgb.exe is unknown. But it might be safe to say that rgb.exe is a vital part of the Follina exploit.
A very interesting fact here is that the Follina exploit can be sent as a .docx file or a .rtf file. The .rtf file is even more dangerous as in this case the victim doesn’t even have to open the file - just navigating to where the .rtf file is stored is enough to execute the exploit.
This is how the exploit looks when opened in .docx :
This will go on forever, and the attacker will immediately get access to his machine. The attacker now has a wide range of attacks ranging from simply opening some applications like notepad or chrome to gaining a reverse shell for full access. At this point basically, the hacker has full control and you have been compromised.
What are some defensive measures against Follina?
There are some notable measures being circulated in the infosec community. The most promising of them are:
Disable msdt entirely
Yes you heard that right. By disabling msdt entirely the basis of Follina is itself foiled, in turn protecting you against this dangerous exploit.
But this isn’t the most recommended remedy as msdt plays a vital role in a lot of Windows processes. Getting rid of it completely might help you safeguard yourself against Follina but in other aspects there might be consequences.
Enabling Attack Surface Reduction Rules
Some rules like “BlockOfficeCreateProcessRule” block office apps from creating child processes. Now why is this useful to us? Since msdt starts running after we open the .docx file it is basically a child process.
Normally it isn’t usual for msdt to run when we use Microsoft word. But in the case of Follina it happens all the time. So by enabling these rules you’d prevent msdt from running as a child process. We won’t have to disable msdt entirely and still be safe.
Additional Resources
While Follina has been taking the entire cyber security world in a frenzy, security analysts have been working day and night to try to figure out the exact working and recreate it, A lot of the researchers were able to mimic the vulnerability and I’ll be sharing the links of the same below.
P.S. A note of caution. DO NOT go running these exploits against anyone's machine without consent. The best way to try this out is to run a windows VM with real time protection turned off.
Github Repo: https://github.com/JohnHammond/msdt-follina
Conclusion
As we now know, Follina CVE-2022-30190 is one of the most threatening vulnerabilities in the world right now. We will definitely come up with a patch for this in the coming future, but till then all users should practice caution and DO NOT download any suspicious word files. Even if it is from someone you know, check every small detail as in today’s world social engineering is devastating.
But for the red team of the cyber sec world - Follina proves to be exciting to a whole new level. The amount of stuff one can do with Follina is scary and it’ll certainly lead to unique attack vectors from all the hackers around the world!
Comments
Post a Comment