Follina — Microsoft MSDT Vulnerability

June 15, 2022

On Windows computers we use various products of Microsoft. For that reason there has a tool called MSDT (Microsoft Support Diagnostic Tool). A cybersecurity researcher “Kevin Beaumont” found it on MSDT (it was already being using) and report about it. He named it “Follina“. Let’s learn about it.

What is MSDT ?

The Microsoft Support Diagnostic Tool (MSDT) collects information to send to Microsoft support. Then Microsoft support analyze the collected information and use it to solve any problems that we may be getting on our computer. It basically collects data from our system and send to Microsoft support. It is Microsoft’s Diagnostic Troubleshooting Wizard. It has existed as an installed tool in “C:WindowsSystem32” since Windows 7.

follina msdt zero day vulnerability

What is Follina?

Microsoft accepts that a new zero-day RCE (Remote Code Execution) flaw in it’s MSDT application. Which named Follina.

Follina is a remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

The attacker can access user privileges with any application or even shell. Attacker can install programs, view, change, delete data or create new accounts with the user privilege. Follina’s CVE number is CVE-2022-30190.

Let’s stop the discussion here, now jump on the practical use of this exploit.

Exploring Follina

As we learnt this is a MSDT (Microsoft Support Diagnostic Tool) vulnerability. That means Microsoft Windows system will be affected, so we need Windows system on our VirtualBox and we are going to use our Kali Linux as attacking machine.

Now on our attacker box (Kali Linux) we need to clone John Hammond’s Follina repository from GitHub by applying following command:

git clone https://github.com/JohnHammond/msdt-follina

In the following screenshot we can see the output of the following command.

msdt-follina github repo clonning

Now we need to move to our just cloned directory by using following command:

cd msdt-follina

Now here we just need to apply following command:

python3 follina.py -i X.X.X.X

In the above command X.X.X.X is our IP address. Now in the following screenshot we can see that our malicious doc file is created and it starts listener for it’s HTML payload on 8000 port.

Follina starts listning

Now we can see the malicious file on our Files (inside msdt-follina directory), as we can see in the following screenshot:

We need to send it to our target’s Windows system. Here we can apply our social engineering techniques to hook our target. We can mail it or sent juicy SMS with download link of malicious DOC file. We hosted it on our decentralized cloud storage. (To use it externally we need to use our external IP and forward required port).

Whenever our target Windows system open it, and click on “Enable Editing” on MS Word (Older Version of MS Office don’t require this, we can get them directly), we get reverse connection back on our Kali Linux, as we can see in the following screenshot:

got reverse connection

By default John’s script just opens Calculator application on Windows

opeing windows calculator app using follina

But it can do much more it we create the payload by using following command then we can even get shell:

python3 follina.py -r 7777

In the above command we use 7777 port to make the connection with payload, we can use any not using port here.

The above command will create a payload of Netcat and start the listener, and create a DOC file on the msdt-follina directory. After our target clicks on “Enable Editing”, we got shell on reverse connection as we can see in the following screenshot:

got shell on Windows system

Now we can do anything the user of victim computer can do. This vulnerability is not likely to be patched for at least last week. Our article is inspired from our friend NetworkChuk’s YouTube video we can see his following video (we did a little bit changes to avoid errors):

Warning:- This article is just for educational purpose only. We did it on our own system and we don’t harm anyone. Do things on your own system and never ever compromise other’s system without proper written premonitions. We don’t support any illegal activity.

How to be safe form Follina?

Microsoft published a proper article that shows how we can be safe from Follina exploit. But as we know first of all we don’t need to open suspicious links or files from the internet. Things could be worse then we think because there may be lot’s of zero-day exploits we don’t know about. Be careful, Be safe.

Love our articles? Make sure to follow us on Twitter and GitHub, we post article updates there. To join our KaliLinuxIn family, join our Telegram Group. We are trying to build a community for Linux and Cybersecurity. For anything we always happy to help everyone on the comment section. As we know our comment section is always open to everyone. We read each and every comment and we always reply.

Article posted by: https://www.kalilinux.in/2022/06/follina-microsoft-msdt-vulnerability.html
——————————————————————————————————————–
Infocerts, 5B 306 Riverside Greens, Panvel, Raigad 410206 Maharashtra, India
Contact us – https://www.infocerts.com

This is the article generated by feed coming from KaliLinux.in and Infocerts is only displaying the content.

Open Whatsapp chat
Whatsapp Us
Chat with us for faster replies.