A zero-day vulnerability has been re-disclosed that is very similar to the Follina zero-day announced last week and is actively being tracked by Trustwave SpiderLabs. The vulnerability was initially publicly disclosed back in 2020 but dismissed by Microsoft, which replied at the time:
"We are also always seeking to improve these protections. But as written this wouldn't be considered a vulnerability."
With the disclosure around Follina on May 30, security researchers started doing additional research on the Microsoft Support Diagnostic Tool (MSDT) in Windows. While conducting this activity, some older research has been resurrected.
Explanation of the Vulnerability
By creating a malicious. diagcab file and then convincing a victim to open it, an attacker could use a directory traversal attack to place arbitrary malware or other code in the victim's Windows Startup directory. This code will then be automatically executed on the next logon or reboot.
The .diagcab file is an archive file used to distribute files and executables for troubleshooting and diagnostic purposes. An XML file in the archive tells Windows what files to download and from where (whether a local directory, network share, or, more importantly, in this case, a WebDAV share on the Internet).
The main issue is that WebDAV doesn't validate the remote filename as Windows Explorer would. Specifically, the file name can contain "..\". This allows an attacker to embed a directory traversal directly in the malware's name and ensures that it ends up placed in the victim's Startup directory.
- .diagcab files are blocked by Outlook by default but may be accessible in other mail clients like Gmail or Thunderbird
- Any attack requires user interaction with a victim being convinced to open the malicious .diagcab file
- Overwriting files is not possible by exploiting this vulnerability
This vulnerability affects all Windows versions. This includes Windows 7 through Windows 11 and Server 2008 through Server 2022. If exploited on a system, the attacker can place any arbitrary malware on the victim system, ultimately compromising that system and providing a foothold to spread to others on a shared network.
There is no CVE issued for this vulnerability nor any indication from Microsoft that it plans to issue a patch. However, Microsoft Patch Tuesday is June 14, and a patch may be released at that time. Additionally, unofficial patches have been issued by the 0patch team but are not currently supported by Microsoft.
We recommend that administrators monitor for unexpected .diagcab on their network inbound via web or email vectors. Organizations may want to consider Security Awareness training for their staff or issuing a notification warning users about opening any files with the .diagcab extension.
The Tustwave SpiderLabs is investigating potential protections and detections we can implement.
Original 2020 write-up from Imre Rad: https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
Rediscovered by @j00sean: https://twitter.com/j00sean/status/1533889445027536899
New technical writeup and unofficial patches from 0patch: https://blog.0patch.com/2022/06/microsoft-diagnostic-tools-dogwalk.html
We will update this blog post as appropriate.