The 0patch developers have released free, unofficial patches for a new 0-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), which researchers have jokingly called DogWalk.
The new problem is categorized as path traversal, and attackers can use it to copy an executable file to the Windows startup folder when a victim opens a malicious .diagcab file (either received via email or downloaded from the Internet). This way, the embedded executable will automatically run the next time user restarts Windows.Back in January 2020, the original vulnerability was discovered and disclosed by information security researcher Imre Rad, but then Microsoft reported that the discovered bug was not a security issue.
Recently, this bug was discovered again, and this time it was reported by an expert known as j00sean.
This is for sure an underrated 0day on Microsoft Support Diagnostics Tool. To summarize:
1) Persistence by startup folder.
2) MOTW bypass.
3) Not flagged by chromium-based file downloaders (Chrome, Edge or Opera).
4) Defender bypass.All-in-one. Enjoy!https://t.co/lgTnDSxYGM pic.twitter.com/UyNyEYlH4c
— j00sean (@j00sean) June 2, 2022
While Microsoft has said that Outlook users are out of danger because .diagcab files are automatically blocked, researchers and experts say exploiting this bug is still an attack vector. The fact is that a malicious file can be delivered through another email client or downloaded through a site controlled by an attacker. At the same time, j00sean emphasizes that this vulnerability is not related to the Follina problem.
The DogWalk vulnerability is known to affect all versions of Windows, from newer ones (Windows 11 and Server 2022) to Windows 7 and Server 2008.
Unofficial patches from 0patch are available for Windows 11 21H2, Windows 10 (1803 to 21H2), Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 and Windows Server 2022.
A detailed technical analysis of this problem can be found in the Kolsec blog.