On Windows computers we use various products of Microsoft. For that reason there has a tool called MSDT (Microsoft Support Diagnostic Tool). A cybersecurity researcher "Kevin Beaumont" found it on MSDT (it was already being using) and report about it. He named it "Follina". Let's learn about it.
What is MSDT ?
The Microsoft Support Diagnostic Tool (MSDT) collects information to send to Microsoft support. Then Microsoft support analyze the collected information and use it to solve any problems that we may be getting on our computer. It basically collects data from our system and send to Microsoft support. It is Microsoft's Diagnostic Troubleshooting Wizard. It has existed as an installed tool in "C:\Windows\System32" since Windows 7.
What is Follina?
Microsoft accepts that a new zero-day RCE (Remote Code Execution) flaw in it's MSDT application. Which named Follina.
Follina is a remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.
The attacker can access user privileges with any application or even shell. Attacker can install programs, view, change, delete data or create new accounts with the user privilege. Follina's CVE number is CVE-2022-30190.
Let's stop the discussion here, now jump on the practical use of this exploit.
Exploring Follina
As we learnt this is a MSDT (Microsoft Support Diagnostic Tool) vulnerability. That means Microsoft Windows system will be affected, so we need Windows system on our VirtualBox and we are going to use our Kali Linux as attacking machine.
Now on our attacker box (Kali Linux) we need to clone John Hammond's Follina repository from GitHub by applying following command:
In the following screenshot we can see the output of the following command.
Now we need to move to our just cloned directory by using following command:
Now here we just need to apply following command:
In the above command X.X.X.X is our IP address. Now in the following screenshot we can see that our malicious doc file is created and it starts listener for it's HTML payload on 8000 port.
Now we can see the malicious file on our Files (inside msdt-follina directory), as we can see in the following screenshot:
We need to send it to our target's Windows system. Here we can apply our social engineering techniques to hook our target. We can mail it or sent juicy SMS with download link of malicious DOC file. We hosted it on our decentralized cloud storage. (To use it externally we need to use our external IP and forward required port).
Whenever our target Windows system open it, and click on "Enable Editing" on MS Word (Older Version of MS Office don't require this, we can get them directly), we get reverse connection back on our Kali Linux, as we can see in the following screenshot:
By default John's script just opens Calculator application on Windows
But it can do much more it we create the payload by using following command then we can even get shell:
In the above command we use 7777 port to make the connection with payload, we can use any not using port here.
The above command will create a payload of Netcat and start the listener, and create a DOC file on the msdt-follina directory. After our target clicks on "Enable Editing", we got shell on reverse connection as we can see in the following screenshot:
Now we can do anything the user of victim computer can do. This vulnerability is not likely to be patched for at least last week. Our article is inspired from our friend NetworkChuk's YouTube video we can see his following video (we did a little bit changes to avoid errors):
Warning:- This article is just for educational purpose only. We did it on our own system and we don't harm anyone. Do things on your own system and never ever compromise other's system without proper written premonitions. We don't support any illegal activity.
How to be safe form Follina?
Microsoft published a proper article that shows how we can be safe from Follina exploit. But as we know first of all we don't need to open suspicious links or files from the internet. Things could be worse then we think because there may be lot's of zero-day exploits we don't know about. Be careful, Be safe.
Love our articles? Make sure to follow us on Twitter and GitHub, we post article updates there. To join our KaliLinuxIn family, join our Telegram Group. We are trying to build a community for Linux and Cybersecurity. For anything we always happy to help everyone on the comment section. As we know our comment section is always open to everyone. We read each and every comment and we always reply.