There is a new zero-day vulnerability discovered that impacts a Windows tool like Follina. Although there’s no information if the vulnerability was exploited in the wild, it is possible to exploit it. The recent attention and extensive exploitation of the Follina vulnerability also meant that exploitation of this vulnerability is very probable.
The vulnerability impacts the Microsoft Diagnostic Tool (MSDT). It is a path traversal vulnerability, which when exploited can result to copying of an executable file to the folder of Windows Startup. An attacker can exploit the vulnerability by sending a specially created .diagcab file through email or when a user downloads the file from the web. .diagcab files are actually Cabinet files that consist of a diagnostic configuration file. In this type of attack, after the startup entry is added, the next time Windows start, the executable file will run.
Security researcher Imre Red discovered the vulnerability and publicly exposed it in January 2020. Microsoft opted not to release a fix because this was technically not a security problem, and because .diagcab files are regarded as unsafe, Outlook automatically blocks it, on the internet, as well as in other places. Though Microsoft’s thinking is reasonable, there are some other file types that aren’t technically executables and can possibly be exploited. Threat actors may attempt to take advantage of the vulnerability, particularly in attacks online.
0Patch explains that the file is not only delivered via Outlook. Such file is downloadable via all main browsers such as Microsoft Edge through a simple website visit. Just one click (or mis-click) of the file in the browser’s downloads list and it will be opened. There will be no popup of a warning about what is happening, unlike when downloading and clicking open other known file that can execute an attacker’s code. From the hacker’s point of view, consequently, this is a perfectly exploitable vulnerability that affects all Windows versions including Windows 7 and Server 2008.
After discovering the Follina vulnerability, security researcher j00sean identified the vulnerability again and reported it last week. The vulnerability was named DogWalk and is regarded as completely exploitable, therefore 0Patch created micropatches to fix the vulnerability.
The DogWalk vulnerability micropatches https://blog.0patch.com/2022/06/microsoft-diagnostic-tools-dogwalk.html can be downloaded for free until Microsoft creates a patch to fix the problem once and for all. The micropatches available are for Windows Server 2008 R2, 2012/2012 R2, 2016, 2019, and 2022 and Windows 7, 10, and 11.