What is CVE-2022-30190 (Follina) and why is it significant?
CVE-2022-30190, also known as Follina, is a Microsoft Support Diagnostic Tool (MSDT) vulnerability that allows attackers to execute arbitrary code via maliciously crafted files, such as RTF or DOCX. Its significance lies in its ability to trigger code execution simply by previewing a file in Windows Explorer, making it highly exploitable and dangerous for organizations using Microsoft Office products.
How does the Compound File Binary Format (CBF) relate to OLE objects in Microsoft Office files?
The Compound File Binary Format (CBF) is a Microsoft-developed container format used to store multiple files and streams within a single file. OLE objects, which enable embedding and linking of documents and data, are stored within CBF files in Office formats like DOC, XLS, and PPT. This structure allows complex objects, such as embedded Excel sheets in Word documents, to function seamlessly across applications using the Component Object Model (COM).
What role do OLE objects play in exploiting CVE-2022-30190?
OLE objects are used to embed or link external content within Office documents. In the context of CVE-2022-30190, attackers craft OLE objects within RTF files to include malicious hyperlinks or payloads. When the file is previewed or opened, the OLE object triggers the exploit, leading to code execution via the MSDT vulnerability.
Why is automating the creation of weaponized RTF files challenging?
Automating weaponized RTF file creation is challenging because OLE objects within RTF files require precise binary formatting, including correct stream sizes, sector alignment, and proper handling of embedded hyperlinks. Manual generation often leads to errors unless all CBF and OLE specifications are followed, making automation non-trivial without deep technical understanding.
What are monikers in the context of OLE and CBF files?
Monikers are objects in Microsoft's Component Object Model (COM) that refer to specific instances of other objects. In OLE and CBF files, moniker streams contain information about hyperlinks or embedded objects, instructing the COM interface on how to load or execute the referenced content. They are critical for linking and embedding functionalities in Office documents.
How does understanding OLE and CBF structures help in security research?
Understanding OLE and CBF structures enables security researchers to analyze, craft, and detect malicious payloads embedded in Office documents. This knowledge is essential for automating exploit generation, developing detection tools, and creating effective mitigations against document-based attacks like CVE-2022-30190.
What tools are useful for analyzing OLE objects in RTF files?
Tools such as oletools and hex editors like HxD are valuable for analyzing OLE objects in RTF files. These tools allow researchers to inspect the binary structure, extract embedded objects, and verify stream sizes and alignments as specified in Microsoft documentation.
How can modifying stream sizes in CBF files affect exploit delivery?
Modifying stream sizes in CBF files is crucial for successful exploit delivery because incorrect sizes can prevent the Office application from reading the entire OLE object, causing the exploit to fail. Properly adjusting these values ensures the payload is processed as intended, enabling reliable exploitation or testing scenarios.
What is the significance of the MiniFAT chain in CBF files?
The MiniFAT chain in CBF files manages the allocation of small streams within the compound file. It links sectors together, allowing the storage of OLE objects and other embedded data. Understanding and correctly configuring the MiniFAT chain is essential for ensuring the integrity and functionality of embedded objects in Office documents.
Where can I find the proof-of-concept code for automating RTF exploit generation?
The proof-of-concept code for automating RTF exploit generation related to CVE-2022-30190 can be found on GitHub. This code demonstrates how to generate DOCX and RTF files weaponized with the Follina exploit.
How does Cymulate Exposure Validation help with advanced security testing?
Cymulate Exposure Validation makes advanced security testing fast and easy by providing a unified platform for building custom attack chains and simulating real-world threats. It enables organizations to assess their defenses against vulnerabilities like CVE-2022-30190 and validate their security posture with actionable insights. Learn more.
What is the practical impact of understanding OLE and CBF for defenders?
For defenders, understanding OLE and CBF structures allows for better detection of malicious documents, development of custom detection rules, and more effective incident response. It also aids in validating security controls against sophisticated document-based attacks, improving overall organizational resilience.
How does Cymulate empower organizations to stay ahead of threats like Follina?
Cymulate empowers organizations by continuously assessing and validating their security posture against the latest threats, including vulnerabilities like Follina. The platform provides actionable insights, automated attack simulations, and comprehensive reporting to help teams proactively address exposures before they are exploited.
What are the main features of Cymulate's Exposure Management Platform?
Cymulate's Exposure Management Platform offers continuous threat validation, unified Breach and Attack Simulation (BAS), Continuous Automated Red Teaming (CART), exposure analytics, attack path discovery, automated mitigation, AI-powered optimization, and an extensive threat library with over 100,000 attack actions updated daily. Learn more.
How does Cymulate integrate with other security tools?
Cymulate integrates with a wide range of security technologies, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, Cisco Secure Endpoint, CrowdStrike Falcon, Wiz, and SentinelOne. These integrations enhance network, cloud, endpoint, and vulnerability management capabilities. See the full list.
What security and compliance certifications does Cymulate hold?
Cymulate holds several industry-leading certifications, including SOC2 Type II (covering security, availability, confidentiality, and privacy), ISO 27001:2013 (Information Security Management), ISO 27701 (Privacy Information Management), ISO 27017 (Cloud Services Security Controls), and CSA STAR Level 1. These certifications demonstrate Cymulate's commitment to robust security and compliance. Learn more.
How easy is it to implement Cymulate in my organization?
Cymulate is designed for rapid, agentless deployment with no need for additional hardware or complex configurations. Customers can start running simulations almost immediately, and the platform offers comprehensive support, including email, chat, and a knowledge base. Schedule a demo to learn more.
What is Cymulate's pricing model?
Cymulate operates on a subscription-based pricing model tailored to each organization's needs. Pricing depends on the chosen package, number of assets, and selected scenarios. For a personalized quote, schedule a demo with the Cymulate team.
Who can benefit from using Cymulate?
Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams in organizations of all sizes and industries, including finance, healthcare, retail, media, transportation, and manufacturing. The platform addresses the unique needs of each role with tailored solutions. Learn more.
What business impact can customers expect from Cymulate?
Customers using Cymulate report up to a 52% reduction in critical exposures, a 60% increase in team efficiency, and an 81% reduction in cyber risk within four months. The platform also enables faster threat validation (up to 40x faster than manual methods) and cost savings by consolidating tools. See case studies.
How does Cymulate compare to other security validation platforms?
Cymulate stands out by offering a unified platform that combines Breach and Attack Simulation, Continuous Automated Red Teaming, and Exposure Analytics. It provides continuous, automated testing, AI-powered optimization, and the most advanced attack simulation library, with proven results in reducing risk and improving efficiency. See comparisons.
What pain points does Cymulate address for security teams?
Cymulate addresses fragmented security tools, resource constraints, unclear risk prioritization, cloud complexity, communication barriers, inadequate threat simulation, operational inefficiencies in vulnerability management, and post-breach recovery challenges. The platform automates validation, prioritizes exposures, and provides actionable insights. Read customer stories.
How does Cymulate support different security personas?
Cymulate tailors its solutions for CISOs (providing metrics and insights), SecOps teams (automating processes and improving efficiency), red teams (offensive testing with a large attack library), and vulnerability management teams (automated validation and prioritization). Learn more by role.
What feedback have customers given about Cymulate's ease of use?
Customers consistently praise Cymulate for its intuitive, user-friendly interface and ease of implementation. Testimonials highlight the platform's accessibility for users of all skill levels and the effectiveness of its support team. Read testimonials.
Where can I find Cymulate's blog, newsroom, and resource hub?
You can stay updated on the latest threats, research, and company news through Cymulate's blog, newsroom, and Resource Hub.
What is Cymulate's mission and vision?
Cymulate's mission is to transform cybersecurity practices by enabling organizations to proactively validate their defenses, identify vulnerabilities, and optimize their security posture. The vision is to create a collaborative environment for lasting improvements in cybersecurity strategies. Learn more.
How does Cymulate ensure data security and privacy?
Cymulate ensures data security through encryption in transit (TLS 1.2+) and at rest (AES-256), secure AWS-hosted data centers, a tested disaster recovery plan, and compliance with GDPR. The platform also features mandatory 2FA, RBAC, IP restrictions, and continuous vulnerability scanning. Read more.
Where can I find Cymulate's webinars, events, and glossary?
How does Cymulate help with lateral movement attack prevention?
Cymulate provides attack path discovery and automated testing for lateral movement, helping organizations identify and mitigate risks of attackers moving within their network. For more details, see the blog post Stopping Attackers in Their Tracks.
Cymulate named a Customers' Choice in 2025 Gartner® Peer Insights™
Initially, I began this research to generate weaponized RTF files delivering the CVE-2022-30190(Follina) exploit. Why RTF files? Because the payload with RTF files will deliver on (probably) all Windows versions (to the date of writing this report) and can execute by just enabling the preview pane and viewing the RTF document from File Explorer. In contrast, the payload does not execute on all Windows versions when loaded from DOCX files.To generate RTF files containing the exploit, I have used Cas Van Cootens POC code to generate a DOCX file and then create a new copy of the same document just in RTF format. This would create a valid RTF file weaponized with the exploit. What's the problem then? The problem was that every time I wanted to generate a valid RTF file, I had to first generate a DOCX file and then regenerate an RTF file from within Microsoft Word. What if I don't have MS Word? What if I'm lazy? Well, I thought to myself – "How hard could it be automating this?" I opened the RTF file, saw where my payload was saved in plain text, replaced it, and there we go. It should work, right? Well, it doesn't!If we take a simple look at how an RTF file can be loaded with a malicious hyperlink, we can apply the method specified in this article regarding CVE-2017-0199. We can see thatThis was right, as long as the last field – objdata – was loaded with a proper OLE object. Honestly, the assumption I initially had about this implementation was due to my laziness and wishful thinking that implementing this within Windows would be THAT easy. This error, which I totally missed as I did not test the POC properly, prompted a person with very creative user handles to raise an issue on GitHub for Cas's POC. This issue was raised regarding the RTF generation feature I contributed.MSisfuckedupmanimaginepayingtogetRCEdwrote:And indeed, after further inspection, Cas confirmed that:Apparently, (which honestly makes a lot of sense now), when regenerating an RTF file containing a hyperlink to a remote template, an OLE object is generated by Office -Actually, 2 objects are generated, but only one of those two is needed. When we confirm this by viewing the OLE object within HxD, we find the Compound File Signature, as can be seen in this hex blob taken from the beginning of the OLE object stored within the RTF file dumped using oletools.This prompted me to learn how OLE Objects are stored and understand how they work, so I could automate their creation. One might ask, why am I doing this? As generating an RTF loaded with Follina is easy to do, why not just regenerate it with Word? Well… I am annoyed by the Github issue and simply curious. Anyway, put on your seatbelts and take your sanity pills because we are about to deep dive into some DEEP Microsoft RFCs and Specifications!
OLE, Compound Binary File Format, COM, and Windows theory
First, let's examine the RTF file specifications to understand how RTF stores embedded objects such as files, hyperlinks, and other data streams.
Microsoft OLE links, Microsoft OLE embedded objects, and Macintosh Edition Manager subscriber objects are represented in RTF as objects. Objects are destinations that contain a data part and a result part. The data part is generally hidden from the application that produced the document. A separate application uses the data and supplies the appearance of the data. This appearance is the result part of the object.
We can see how this is implemented with an RTF file that I generated using Word and which should contain the Follina Payload:The fields of interest are \objautlink which specifies an auto-link object, essentially a link within the word document that auto executes. According to the RTF specifications, the \objupdate should execute it by force, but my own testing shows that this works arbitrarily. Finally, the most interesting field is \objdata.This sub-destination contains the data for the object in the appropriate format; OLE objects are in OLESaveToStream format. This is a destination control word.This is where things start to get a bit convoluted. The payload generated is stored within an OLE object within the RTF file. It is a hex-encoded object that looks like this:To understand what these hex numerals mean, we must first understand what OLE objects are and in which format they are stored. According to Wikipedia:“OLE allows an editing application to export part of a document to another editing application and then import it with additional content. For example, a desktop publishing system might send some text to a word processor or a picture to a bitmap editor using OLE. The main benefit of OLE is to add different kinds of data to a document from different applications, like a text editor and an image editor. This creates a**Compound File Binary Format** document and a master file to which the document makes reference. Changes to data in the master file immediately affect the document that references it. This is called "linking" (instead of "embedding"). OLE objects essentially allow File Explorer Addins in your apps, Drag and Drop feature, Links to excel documents within a word document, or add GIFS into email messages. OLEs are stored using the Compound File Binary Format (CFBF also named CBF or CFB) which is based on the FAT File System specifications. Yes and if this sounds crazy, OLE Objects use the Component Object Model (COM).COM is a binary interface that is the basis for a lot of Microsoft Technology, it allows for inter-process communication which allows for Windows objects to be implemented in different environments in which they were created. For example, Word and Excel documents are unrelated but using COM I can either link or embed a useable Excel document file into a word document. The COM technology knows how to do this using its various interfaces”.If, for example, I wanted to embed an excel file in a Word document and display it to anyone, I would embed an OLE object within the Word document, which would include either a link or an embedded excel file. This OLE object would contain "instructions" written using the COM Interface for the Word process, which would explain how to load this excel file. Word would process the OLE Object and the COM "instructions", then call the COM Interface specified, and then load the excel document properly into Word. Though Word does not understand what Excel is, the COM interface handles all the heavy duties and allows Word to either link to the referenced Excel document or to literally embed an excel document within it.Just writing this hurts my brain, but, in summary, this picture should explain everything:
OLE and Compound File Binary Format in practice
Let's look at the OLE file within the generated RTF file mentioned previously. I took the raw object data stored within it and loaded it into my Hex Editor of choice HxD.To simplify reading, I created a nice-to-read diagram that explains what's going on (Important note: all structures are stored in little-endian format). The first 33 bytes specify the OLE Object header (the last 2 bytes are missing from the picture).Using the MS-OLEDSspecifications, we can infer that this is an OLE Embedded Object Container. As the FormatID field contains the value 0x2.The class name field contains the name " OLE2Link" which might hint at what this OLE Object is meant to do. Finally, after the ObjectHeader, we have the value contained in offset 0x1D, which is 0x0000A000 and represents the total stream size of this object. This value is quite crucial as modifying the OLE Object would require altering this value as well. Otherwise, the Word process would not read the OLE Object in its entirety.Following it is the NativeData. This data is actually aCompound Binary File Format that stores (or should store) OLE Objects, Embedded files or documents, links, and pictures. This can be confirmed by the first 8 bytes found in the NativeData stream.According to the MS-CFB, this value is the CFB file signature.What is a Compound Binary File ( CBF )?According to Wikipedia :“Compound File Binary Format (CFBF), also called Compound File, Compound Document format, or Composite Document File V2 (CDF), is a compounddocument file format for storing numerous files and streams within a single file on a disk. CFBF is developed by Microsoft and is an implementation of Microsoft COM Structured Storage. At its simplest, the Compound File Binary Format is a container, with little restriction on what can be stored within it. A CFBF file structure loosely resembles a FATfilesystem. The file is partitioned into Sectors which are chained together with a File Allocation Table (not to be mistaken with the file system of the same name) which contains chains of sectors related to each file, a Directory holds information for contained files with a Sector ID (SID) for the starting sector of a chain and so on.”Microsoft stores OLE objects within CBFs and COM Objects within those OLEs. (Why Microsoft chose CBFs as the main format to store these objects can be read here. ) This format is mainly replaced by Office Open XML, but it is still used within RTF objects and old office extensions such as:
DOC
XLS
PPT
POT
XLT
Anyhow, the RTF hyperlink should be stored somewhere within this CBF file, so let's check out how.
General Guidelines about CBFs
CBF files are divided into 512 byte-sized sectors. The two tables below should help understand what the first sector for the CBF file looks like(read about it here). For OLE objects, we're primarily interested in the Directory sector that contains information about OLE data object streams.At offset 0x30, you find the DWORD 0x1000000000 that indicates the location of the Directory sector. Since CBFs are stored in little-endian format, the starting location is one. To calculate the offset of the starting location we follow the formula of (1+DirectoryStartingSectorLocation)*512 , which drops us at offset 0x400.While the CLSID field indicates the type of the COM object associated with the activation of the document(in this case, it's the SAX XML Reader 6.0), the more exciting fields are located at offsets 0x74 and 0x78. The starting location of the OLE streams is calculated from the Mini stream sector, which starts at offset 0x600 in our case, using the formula (SSL*0x64) - which can be adequately viewed using the olebrowse tool from the oletools collection. The stream size field specifies the size of the stream. It will be modified to shrink/increase in accordance with the length of the remote template URI.The next sector specifies the MiniFAT chain, which gives information regarding the chained streams within the CFB. It's not a very important sector for the blog, but it's worthwhile to see how it looks. The chain shows how the streams are linked. Each cell in the chain represents 40 bytes of a stream. It continues until it reaches the value 0xFFFFFFFE, so the first stream goes for 5 blocks of 40 bytes (or 0x140 in hex).This can be confirmed by reading the first 320 bytes in the last sector.However, the directory entry specifies the stream size will only use 275 bytes out of the 320 bytes or ( 0x130 ).
The OLE Stream and Monikers
As usual, I created a diagram below of the OLE Stream structure. From offset 0x810 within the OLE stream, we reach the first moniker stream. A moniker is an object (or component) in Microsoft's Component Object Model ( COM ) that refers to a specific instance of another object. A moniker stream always starts with a CLSID, which describes what type of moniker it is, followed by a data stream. There are quite a few moniker specifications, read about them here.This OLE stream "instructs" the COM interface to load and launch the malicious hyperlink. Additionally to the OLE stream, the LinkInfo stream contains data regarding the hyperlink, which also needs to be modified.My hypothesis is that, if I can somehow control the size of the OLE stream, the LinkInfo stream, and their components, I can generate different hyperlinks.Luckily for the reader and me, this blog is the aftermath of my success in doing so, so first, let's name the important size fields:
NativeDataSize – This field specifies the size of the value of the entire OLE Data object, this value cannot be easily modified unless I modify and reconstruct the MiniFAT chain and the FAT chain.
Directory Stream Size – This field specifies the size of each stream (Important note: most streams don't use their entire size limits and are padded with null bytes.)
URLMoniker length – This field specifies the byte size of the URI string plus 24 (really, it's weird, I know - but it’s specified in the URLMoniker specification.
Crafting an OLE Stream
The first problem that needs addressing is the total size of the streams. While I can manually adjust the CFB file myself, a much easier solution would be to just generate a very large OLE stream. I just input a different sized port with the value of 65535 instead of the default 80 using the Cas Van Cootens POC code for Follina that was mentioned at the beginning of this blog post, and this, in turn, generates a very large stream. This time the NativeDataSize contains the value 0xC00, which is 512 bytes larger than previously (just one sector larger.)Additionally, the MiniFAT chain is much larger now.So, this marks the problem as solved.Next, I decided to look at the RootEntry stream size field. Currently, it’s set to 0x142 (322) bytes.But I know for a fact that it’s padded with null bytes to align with the MiniFat sector size specification of 64 bytes.So, essentially, this stream size can be increased to 0x180 (384) bytes. The same can be implemented for the LinkInfo object.The current LinkInfo stream size is 0xf0 (240) but can be increased to **0x240 (576) bytes! This is as simple as just changing the values within the blob.The final two problems are quite easy to solve. With some simple math to calculate the total size of the objects, subtract the modified URL fields from the original size and pad what's left with zeros in the appropriate locations.By doing this, I'm essentially just modifying the objects and not changing the stream alignment! This, in fact, works perfectly! Here is a demonstration of Follina where one VM in a VLAN serves the payload at a typically long URI, and another VM in the VLAN retrieves the payload using the RTF script.You can read the python code here!That's it! I hope you enjoyed reading this and learned something about OLE Objects and Microsoft Magic!
Now go and mess with CVE-2022-30190
See you next time!
To test the latest threats against your environment, start a free 14-day trial today.
Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.
