In the wake of the recent Microsoft Support Diagnostic Tool vulnerability (CVE-2022-30190), an older MSDT-related vulnerability was brought back into the spotlight by security researcher j00sean via a Twitter post. Initially discovered in 2020 by security researcher Imre Rad, the vulnerability, known currently as DogWalk, allows a threat actor to craft a malicious .diagcab file that, when executed by a user, can reach out to a WebDAV server and download a specially named file that bypasses the Mark-Of-The-Web NTFS flag, among other things. The goal of this specially named file is to achieve directory traversal. The chain of events that allow this vulnerability is as follows:
- The .diagcab file contains an XML file pointing to a directory on a remote WebDAV server
- This directory hosts a file named “…………..AppDataRoamingMicrosoftWindowsStart MenuProgramsStartupmalicious.exe”
- MSDT creates a local temporary folder such as “C:UsersJohnAppDataLocalTempSDIAG_0636db01-fabd-49ed-bd1d-b3fbbe5fd0ca”
- It then appends the remote file name to this folder name: “C:UsersJohnAppDataLocalTempSDIAG_0636db01-fabd-49ed-bd1d-b3fbbe5fd0ca…………..AppDataRoamingMicrosoftWindowsStart MenuProgramsStartupmalicious.exe”
- Which renders as “C:AppDataRoamingMicrosoftWindowsStart MenuProgramsStartupmalicious.exe”
- Finally, it copies the content of the remote specially crafted file to malicious.exe in the computer’s Startup folder, where it will be executed the next time anyone logs in.
Microsoft acknowledged the report in 2020 but decided not to patch the software because an attacker still has to convince a user to open the malicious .diagcab file to start the chain of infection, it does not escalate privileges, and Outlook already blocks .diagcab files from being delivered via email by default.
Binary Defense researchers confirmed that this vulnerability still exists in the MSDT code. Until Microsoft decides that DogWalk is worth patching, there are a few recommendations that can help mitigate this type of attack:
• Instruct users to avoid opening .diagcab files
• Add .diagcab files to email attachment blocklists
• Monitor user startup folders
• Implement Endpoint Detection and Response (EDR) alerts that trigger upon execution of a .diagcab file
In addition, a company called 0patch releases micropatches that can be applied to Windows systems via their 0patch agent. 0patch currently has a micropatch available for this vulnerability.
This is for sure an underrated 0day on Microsoft Support Diagnostics Tool. To summarize:
1) Persistence by startup folder.
2) MOTW bypass.
3) Not flagged by chromium-based file downloaders (Chrome, Edge or Opera).
4) Defender bypass.
— j00sean (@j00sean) June 2, 2022