0patch released an unofficial security patch for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT) dubbed DogWalk. The issue impacts all Windows versions, starting from Windows 7 and Server Server 2008, including the latest releases.
The flaw is a path traversal flaw that can be exploited to save any files to any locations on the file system (in line with the permissions of the current user) before the integrity of the package is checked.
An attacker could achieve code execution by dropping a file to the Startup folder of Windows, which will be executed by the Operating System next time when the user logs in.
The DogWalk flaw was first disclosed in January 2020 by security researcher Imre Rad, but Microsoft pushed back the issue addressing the flaw in the current versions of Windows. The expert warned to pay special attention to not open .diagcab files and add this extension to the blacklists of mail server operators.
“During my testing, I concluded that neither Gmail nor Outlook Live blocked .diagcab files at all, so users of these services could be potential targets. I encountered the filtering mechanism of some MS Exchange based corporate servers blocking my attachments, however, by linking to a webdav share, I could circumvent this protection so the diagcab file could be executed in Outlook.” wrote Rad. “But not even links like this can be used ultimately, they are deactivated by providers like Gmail or Outlook Live and blocked by other security measures of Internet Explorer.”
“The vulnerability lies in the Microsoft Diagnostic Tool’s sdiageng.dll library, which takes the attacker-supplied folder path from the package configuration XML file inside the diagcab archive, and copies all files from that folder to a local temporary folder.” reads the post published by 0patch. “During this process, it enumerates files in attacker’s folder, gets the file name for each of them, then glues together the local temporary path and that file name to generate the local path on the computer where the file is to be created.”
“Okay, but who would download and open a silly diagcab file? Well, the download can happen automatically in a drive-by-download fashion, as demonstrated by Imre’s POC (click this link and see the file downloaded to your browser). Then you see it listed in browser’s Downloads list and if you click on it – intentionally or not – it’s game over.” concludes 0patch. “How about Mark of the Web? Aren’t all downloaded files and files received via email marked with this flag that tells Windows to warn the user if they want to open it? They are indeed, and the downloaded diagcab file is marked as well. But it is up to the application processing the file to check this mark and warn the user. Many applications do that; MSDT, unfortunately, does not.”
Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)
To nominate, please visit:
(SecurityAffairs – hacking, DogWalk)