CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Trustwave's Action Response: More MSDT Fallout with “Dogwalk”

A zero-day vulnerability has been re-disclosed that is very similar to the Follina zero-day announced last week and is actively being tracked by Trustwave SpiderLabs. The vulnerability was initially publicly disclosed back in 2020 but dismissed by Microsoft, which replied at the time:

"We are also always seeking to improve these protections. But as written this wouldn't be considered a vulnerability."

With the disclosure around Follina on May 30, security researchers started doing additional research on the Microsoft Support Diagnostic Tool (MSDT) in Windows. While conducting this activity, some older research has been resurrected.

Explanation of the Vulnerability

By creating a malicious .diagcab file and then convincing a victim to open it, an attacker could use a directory traversal attack to place arbitrary malware or other code in the victim's Windows Startup directory. This code will then be automatically executed on the next logon or reboot.

The .diagcab file is an archive file used to distribute files and executables for troubleshooting and diagnostic purposes. An XML file in the archive tells Windows what files to download and from where (whether a local directory, network share, or, more importantly, in this case, a WebDAV share on the Internet).

The main issue is that WebDAV doesn't validate the remote filename as Windows Explorer would. Specifically, the file name can contain "..\". This allows an attacker to embed a directory traversal directly in the malware's name and ensures that it ends up placed in the victim's Startup directory.

Limiting factors

  • .diagcab files are blocked by Outlook by default but may be accessible in other mail clients like Gmail or Thunderbird
  • Any attack requires user interaction with a victim being convinced to open the malicious .diagcab file
  • Overwriting files is not possible by exploiting this vulnerability

Impact

This vulnerability affects all Windows versions. This includes Windows 7 through Windows 11 and Server 2008 through Server 2022. If exploited on a system, the attacker can place any arbitrary malware on the victim system, ultimately compromising that system and providing a foothold to spread to others on a shared network.

Remediation

There is no CVE issued for this vulnerability nor any indication from Microsoft that it plans to issue a patch. However, Microsoft Patch Tuesday is June 14, and a patch may be released at that time. Additionally, unofficial patches have been issued by the 0patch team but are not currently supported by Microsoft.

We recommend that administrators monitor for unexpected .diagcab on their network inbound via web or email vectors. Organizations may want to consider Security Awareness training for their staff or issuing a notification warning users about opening any files with the .diagcab extension.

Trustwave

The Trustwave SpiderLabs is investigating potential protections and detections we can implement.

References

Original 2020 write-up from Imre Rad: https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd

Rediscovered by @j00sean: https://twitter.com/j00sean/status/1533889445027536899

New technical writeup and unofficial patches from 0patch:https://blog.0patch.com/2022/06/microsoft-diagnostic-tools-dogwalk.html

We will update this blog post as appropriate.

Latest SpiderLabs Blogs

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

Overview A command injection vulnerability has been discovered in the GlobalProtect feature within Palo Alto Networks PAN-OS software for specific versions that have distinct feature configurations...

Read More

CNAPP, CSPM, CIEM, CWPP – Oh My!

We all know the cybersecurity industry loves its acronyms, but just because this fact is widely known doesn’t mean everyone knows the story behind the alphabet soup groups of letters, we must deal...

Read More

Phishing Deception - Suspended Domains Reveal Malicious Payload for Latin American Region

Recently, we observed a phishing campaign targeting the Latin American region. The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious...

Read More