New ‘DogWalk’ Windows zero-day gets free unofficial patches – Detection & Response

0

0patch released an unofficial security patch for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT) dubbed DogWalk. The issue impacts all Windows versions, starting from Windows 7 and Server Server 2008, including the latest releases.

The security flaw (jokingly dubbed DogWalk) is a path traversal flaw attackers can exploit to copy an executable to the Windows Startup folder when the target opens a maliciously crafted .diagcab file (received via email or downloaded from the web).

The planted malicious executable would then automatically be executed the next time the victim restarts Windows.

This vulnerability was first publicly disclosed by security researcher Imre Rad in January 2020 after Microsoft replied to his report saying it won’t provide a fix because this isn’t a security issue. However, the bug was recently re-discovered and brought to public attention by security researcher j00sean.

While Microsoft said that Outlook users are not at risk because .diagcab files are automatically blocked, security researchers and experts argue that exploiting this bug is still a valid attack vector.

“The vulnerability lies in the Microsoft Diagnostic Tool’s sdiageng.dll library, which takes the attacker-supplied folder path from the package configuration XML file inside the diagcab archive, and copies all files from that folder to a local temporary folder.” reads the post published by 0patch. “During this process, it enumerates files in attacker’s folder, gets the file name for each of them, then glues together the local temporary path and that file name to generate the local path on the computer where the file is to be created.” 

Even though .diagcab files are downloaded from the Internet and include a Mark-of-the-Web (MOTW), Windows ignores it for this file type and allows the file to be opened without a warning.

Web browsers and Windows to determine if a file should be treated with suspicion, and, ignoring it, could lead to more users opening the downloaded file.

“However, Outlook is not the only delivery vehicle: such file is cheerfully downloaded by all major browsers including Microsoft Edge by simply visiting(!) a web site, and it only takes a single click (or mis-click) in the browser’s downloads list to have it opened,” 0patch co-founder Mitja Kolsek explained.

Also Read: Investigation of the .CAB files in Windows

“No warning is shown in the process, in contrast to downloading and opening any other known file capable of executing attacker’s code.”

This vulnerability affects all Windows versions, starting with the latest releases (Windows 11 and Server 2022) and going back to Windows 7 and Server 2008.

“Since this is a ‘0day’ vulnerability with no official vendor fix available, we are providing our micropatches for free until such fix becomes available,” Kolsek added.

Detection Queries:

Splunk:

(source="WinEventLog:*" AND (TargetFilename="*.diagcab") AND TargetFilename="*\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\*.exe*" AND Image="*\\msdt.exe")

Qradar:

SELECT UTF8(payload) from events where LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and (CATEGORYNAME(category) ILIKE 'File Created' or CATEGORYNAME(category) ILIKE 'Successful File Modification') and ("TargetFilename" ilike '%.diagcab') and UTF8(payload) ILIKE '%\Microsoft\Windows\Start Menu\Programs\StartUp\%.exe%' and "Image" ilike '%\msdt.exe'

Microsoft Defender:

DeviceFileEvents | where ((FolderPath endswith ".diagcab") and FolderPath matches regex @".*\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\.*\.exe.*" and InitiatingProcessFolderPath endswith @"\msdt.exe")

Elastic Query:

(file.path:*.diagcab AND file.path:*\\Microsoft\\Windows\\Start\ Menu\\Programs\\StartUp\*.exe* AND process.executable:*\\msdt.exe)

Graylog:

(TargetFilename.keyword:*.diagcab AND TargetFilename.keyword:*\\Microsoft\\Windows\\Start\ Menu\\Programs\\StartUp\*.exe* AND Image.keyword:*\\msdt.exe)

Logpoint:

(TargetFilename IN "*.diagcab" TargetFilename="*\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\*.exe*" Image="*\\msdt.exe")

RSA NETWITNESS:

((TargetFilename contains '.diagcab') && (TargetFilename regex '.*\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\.*\.exe.*') && (Image contains 'msdt.exe'))

Carbon Black:

(filemod_name:*.diagcab AND filemod_name:*\\Microsoft\\Windows\\Start\ Menu\\Programs\\StartUp\*.exe* AND process_name:*\\msdt.exe)

Arcsight:

(filePath CONTAINS "*.diagcab" AND filePath CONTAINS "*\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\*.exe*" AND ((destinationProcessName CONTAINS "*\\msdt.exe" OR deviceProcessName CONTAINS "*\\msdt.exe" OR sourceProcessName CONTAINS "*\\msdt.exe")))

Source: https://www.bleepingcomputer.com/news/security/new-dogwalk-windows-zero-day-bug-gets-free-unofficial-patches/
Previous articleBlack Basta Ransomware operators leverage QBot for lateral movements
Next articleLinux version of Black Basta ransomware encrypts VMware ESXi servers
BalaGanesh
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here