https://blog.0patch.com/2022/06/microsoft-diagnostic-tools-dogwalk.html
by Mitja Kolsek, the 0patch Team
With the “Follina” / CVE-2022-30190 0day still hot, i.e., still waiting for an official fix while apparently already getting exploited by nation-backed attackers, another related unfixed vulnerability in Microsoft’s Diagnostic Tool (MSDT) bubbled to the surface.
In January 2020, security researcher Imre Rad published an article titled “The trouble with Microsoft’s Troubleshooters,” describing a method for having a malicious executable file being saved to user’s Startup folder, where it would subsequently get executed upon user’s next login. What the user has to do for this to happen is open a “diagcab” file, an archive in the Cabinet (CAB) file format that contains a diagnostics configuration file.
According to Imre’s article, this issue was reported to Microsoft but their position was that it was not a security issue worth fixing. This was their response:
“”There are a number of file types that can execute code in such a way but aren’t technically “executables”. And a number of these are considered unsafe for users to download/receive in email, even .diagcab is blocked by default in Outlook on the web and other places. This is noted a number of places online by Microsoft.
The issue is that to make use of this attack an attacker needs to create what amounts to a virus, convince a user to download the virus, and then run it. Yes, it doesn’t end in .exe, but these days most viruses don’t. Some protections are already put into place, such as standard files extensions to be blocked, of which this is one. We are also always seeking to improve these protections. But as written this wouldn’t be considered a vulnerability. No security boundaries are being bypassed, the PoC doesn’t escalate permissions in any way, or do anything the user couldn’t do already.””…
We decided this issue is exploitable enough to warrant a micropatch, and with the cat out of the bag (having presumably stayed in the bag since 2020) the likelihood of its exploitation is now higher..
