Follina MS Office Code Execution
This is just a collection of my thoughts and PoCs that I've tried. I'll update this as I learn more.
Thoughts
There is some speculation that it could work on a Mac, however I don't believe that to be the case. All the PoCs I've seen so far leverage msdt
to get code execution, which doesn't exist on a Mac. That being said, in theory, you could call on a Mac-based LoLBin. This is yet to be seen (also, targeting Windows would have a much better rate-of-return.)
Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled.
https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
PoCs

I tried this PoC, but Word threw an error, Word found unreadable content.
Word version 2205, build 15225.20204. It is definitely possible that I screwed it up.
I did not try the .rtf
PoC because I believe it relies on the Preview Pane, and you should have the Preview Pane disabled anyway (I do in my environment.)
Correction:
No, mate. It also works double-clicking as always. That github just alerts you on this: "With RTF, there is no need to open the file in Word". But you don't need to enable Preview panel if you don't want. Just double-click the file and should work. PP+RTF is 0-click instead of 1c
— j00sean (@j00sean) May 30, 2022
Tried this PoC, but Defender caught it as TrojanDownloader:O97M/Donoff.SA!Gen
on the word\_rels\document.xml.rels
file.
It looks like this detection was updated the morning of May 30th: https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.367.703.0
Apparently, the .rtf method described in the the 1st PoC I linked still works:
❗️❗️Quick update: the "ms-msdt" exploit is still a #0DAY! #0dayitw
— Haifei Li (@HaifeiLi) May 30, 2022
Thanks for all the feedback, it seems that Microsoft patched or blocked something for the .docx format, but the .rtf format exploit still works great on the latest Windows + Office platform!@msftsecresponse