Follina MS Office Code Execution

Follina MS Office Code Execution
Photo by Tadas Sar / Unsplash

This is just a collection of my thoughts and PoCs that I've tried. I'll update this as I learn more.

Thoughts

There is some speculation that it could work on a Mac, however I don't believe that to be the case. All the PoCs I've seen so far leverage msdt to get code execution, which doesn't exist on a Mac. That being said, in theory, you could call on a Mac-based LoLBin. This is yet to be seen (also, targeting Windows would have a much better rate-of-return.)

Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled.
https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e

PoCs

The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process - ms-msdt.MD

I tried this PoC, but Word threw an error, Word found unreadable content.
Word version 2205, build 15225.20204. It is definitely possible that I screwed it up.

I did not try the .rtf PoC because I believe it relies on the Preview Pane, and you should have the Preview Pane disabled anyway (I do in my environment.)
Correction:


GitHub - chvancooten/follina.py: Quick POC to replicate the ‘Follina’ Office RCE vulnerability for local testing purposes
Quick POC to replicate the 'Follina' Office RCE vulnerability for local testing purposes - GitHub - chvancooten/follina.py: Quick POC to replicate the 'Follina' Office RCE vulnerabi...

Tried this PoC, but Defender caught it as TrojanDownloader:O97M/Donoff.SA!Gen on the word\_rels\document.xml.rels file.

It looks like this detection was updated the morning of May 30th: https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.367.703.0


Apparently, the .rtf method described in the the 1st PoC I linked still works: