Template don't work with M365

chvancooten / follina.py

POC to replicate the full 'Follina' Office RCE vulnerability for testing purposes

1.13k stars 255 forks source link

Template don't work with M365 #2

Closed piedacoulisse2 closed 2 years ago

piedacoulisse2 commented 2 years ago

Hello,

Related to your post in twitter (https://twitter.com/chvancooten/status/1531269822444601349) I test the template with M365. It doesn't work with Microsoft 365 desktop Version 2205 (build 15225.20204 Office).

However the powershell script works properly.

Piedacoulisse

chvancooten commented 2 years ago

Which Office 365 channel are you on? Judging by the build number it looks too new. I was only able to confirm that it works on the Semi-Annual channel (build 14931.20392 in my case), I don't think the vuln works at all with newer versions.

piedacoulisse2 commented 2 years ago

I have the last version : Current Channel

chvancooten commented 2 years ago

Right yeah, in that case (un)fortunately the vulnerability won't work at all

piedacoulisse2 commented 2 years ago

I have some clues in the terminal

Scaum commented 2 years ago

Sorry to hijack this issue, but running into the same problem as Piedacoulisse2.

In the initial post you said "However the powershell script works properly.", does that mean you manage to get the "command" mode working on the latest M365 version ? Could you explain how ?

Thanks

piedacoulisse2 commented 2 years ago

Hello @Scaum

In the Microsoft said : A: If the calling application is a Microsoft Office application, by default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office, both of which prevent the current attack.

https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

https://www.cert.ssi.gouv.fr/alerte/CERTFR-2022-ALE-005/

piedacoulisse