In the wake of the recent Microsoft Support Diagnostic Tool vulnerability (CVE-2022-30190), an older MSDT-related vulnerability was brought back into the spotlight by security researcher j00sean via a Twitter post. Initially discovered in 2020 by security researcher Imre Rad, the vulnerability, known currently as DogWalk, allows a threat actor to craft a malicious .diagcab file that, when executed by a user, can reach out to a WebDAV server and download a specially named file that bypasses the Mark-Of-The-Web NTFS flag, among other things. The goal of this specially named file is to achieve directory traversal. The chain of events that allow this vulnerability is as follows:
- The .diagcab file contains an XML file pointing to a directory on a remote WebDAV server
- This directory hosts a file named “\..\..\..\..\..\..\..\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malicious.exe”
- MSDT creates a local temporary folder such as “C:\Users\John\AppData\Local\Temp\SDIAG_0636db01-fabd-49ed-bd1d-b3fbbe5fd0ca”
- It then appends the remote file name to this folder name: “C:\Users\John\AppData\Local\Temp\SDIAG_0636db01-fabd-49ed-bd1d-b3fbbe5fd0ca\..\..\..\..\..\..\..\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malicious.exe”
- Which renders as “C:\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malicious.exe”
- Finally, it copies the content of the remote specially crafted file to malicious.exe in the computer’s Startup folder, where it will be executed the next time anyone logs in.
Microsoft acknowledged the report in 2020 but decided not to patch the software because an attacker still has to convince a user to open the malicious .diagcab file to start the chain of infection, it does not escalate privileges, and Outlook already blocks .diagcab files from being delivered via email by default.