Depending on who you ask, there’s either 2 vulnerabilities at play in Follina, only one, or according to Microsoft a week ago, no security problem whatsoever. On the 27th of last month, a
.docx file was uploaded to VirusTotal, and most of the tools there thought it was perfectly normal. That didn’t seem right to [@nao_sec], who raised the alarm on Twitter. It seems this suspicious file originated somewhere in Belarus, and it uses a series of tricks to run a malicious PowerShell script.
Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code.https://t.co/hTdAfHOUx3 pic.twitter.com/rVSb02ZTwt
— nao_sec (@nao_sec) May 27, 2022
The odd document was next noticed by [Kevin Beaumont], who picked the name Follina for the vulnerability, and gives some additional analysis. A Word document can link to a remote template file, and that template file can use the
ms-msdt: URI to launch
msdt.exe, a diagnostic tool. An argument flag sent to that tool can include arbitrary commands. Put together, it means that viewing an office file runs arbitrary code. It’s worse, because the vulnerability chain can trigger from an Explorer preview. Protected mode won’t help you here.
Once researchers knew what to look for, it turns out that this has been floating around as a 0-day for over a month. It was reported to Microsoft and closed as not a security issue. Thankfully Microsoft has gotten the memo, issued CVE-2022-30190, and recommended a mitigation:
reg delete HKEY_CLASSES_ROOT\ms-msdt /f And if 0patch is your thing, there’s a free patch available, as well as a deeper look at why the injected command gets executed at their blog post.
Accidentally Fixing Bugs
Your code review tooling sometimes gives false positives. The standard response is to ignore that false positive for a while, and then finally give in and make the change so the code is obviously and explicitly safe. But it was certainly a false positive, right? [Paulino Calderon] has a story about this. Spoiler: It wasn’t a false positive. CVE-2022-21404 was a deserialization bug in Oracle’s Helidon, fixed accidentally, by an engineer that just wanted his analysis tooling to shut up.
A Controlled Request and an Open Redirect
[Anton] brings us the tale of discovering a flaw in Seedr, which was a video advertising service purchased by Mail.Ru. There’s a useful tip there, to watch for companies with good bug bounties to make acquisitions. Suddenly a code-base that hasn’t been hacked on by other researchers just became in-scope for bounties. Seedr was just such a situation, and he quickly found an API endpoint that took a video string as an argument. The site would then load the video url and parse its metadata. This wasn’t wide open, there were just a handful of video sites supported, like Youtube, Coub, or Vimeo. The video string could be manipulated with path traversal and the like. It seemed to be doing deserialization of the results, so if you could get one of those sites to return arbitrary results, you might be able to trigger a deserialization bug.
That idea tickled [Anton]’s memory, as there was an open redirect found in Vimeo a few years ago. That got him control over the deserialization routine, and the ability to read out a non-public file from the server. This was progress. The final key was a clever trick, writing some PHP code to the day’s logfile, then using the deserialization bug to trigger the execution of that code. It was quite the journey, but quite the impressive chain.
GitHub Breach Update
You may remember earlier this year, that OAuth tokens were nabbed from Heroku and Travis CI. The Github security team have kept investigating, and have announced that those tokens were used to grab some data from NPM, including a user database backup from 2015. That included usernames, hashed passwords, and email address for about a 100,000 users. There was also some data regarding private packages, including what looks like a targeted grabbing of those private packages from a couple organizations. The attack chain was to use the OAuth token to access a private GitHub repo, which contained an AWS key. The AWS buckets were the source of the leaked data. Notifications have been sent, and affected passwords reset.
Don’t Use Tails (Right Now)!
Since Tails doesn’t save anything to the drive, a reboot should clear anything malicious. Though a sufficiently capable attacker could likely chain multiple vulnerabilities together, and achieve root access to the Tails OS. Mounting a physical disk and making malicious modifications is quite plausible. The update to Tails 5.1 is expected any day now, and will fix the flaw.
It isn’t the most polished or technical, but as far as Escalation of Privilege attacks go, annoy-the-user-endlessly-til-he-gives-in is probably fairly effective. That’s the idea behind ForceAdmin. It’s a bit worse than that, as it’s a truly endless stream of UAC pop-ups, which prevents killing the process causing the pop-ups. This is truly evil, and it’s also sort of beautiful in its own way. Enjoy!
One thought on “This Week In Security: Follina, Open Redirect RCE, And Annoyware”
Why after more than 20 years of such bugs MS Office by default allows running arbitrary commands on users machine without asking?
Please be kind and respectful to help make the comments section excellent. (Comment Policy)