Researchers Warn of Unpatched “DogWalk” Microsoft Windows Vulnerability

An unofficial security patch has been made available for a new
Windows zero-day vulnerability in the Microsoft Support Diagnostic
Tool (MSDT), even as the Follina flaw continues to be exploited in
the wild.

The issue — referenced as DogWalk — relates to
a path traversal flaw that can be exploited to stash a malicious
executable file to the Windows Startup folder when a potential
target opens a specially crafted “.diagcab” archive file that
contains a diagnostics configuration file.

The idea is that the payload would get executed the next time
the victim logs in to the system after a restart. The vulnerability
affects all Windows versions, starting from Windows 7 and Server
Server 2008 to the latest releases.

DogWalk was originally disclosed^[1]
by security researcher Imre Rad in January 2020 after Microsoft,
having acknowledged the problem, deemed it as not a security
issue.

“There are a number of file types that can execute code in such
a way but aren’t technically ‘executables,'” the tech giant said at
the time. “And a number of these are considered unsafe for users to
download/receive in email, even ‘.diagcab’ is blocked by default in
Outlook on the web and other places.”

While all files downloaded and received via email include a
Mark-of-the-Web (MOTW^[2]) tag that’s used to
determine their origin and trigger an appropriate security
response, 0patch’s Mitja Kolsek noted that the MSDT application is
not designed to check this flag and hence allows the .diagcab file
to be opened without warning.

“Outlook is not the only delivery vehicle: such file is
cheerfully downloaded by all major browsers including Microsoft
Edge by simply visiting(!) a website, and it only takes a single
click (or mis-click) in the browser’s downloads list to have it
opened,” Kolsek said^[3].

“No warning is shown in the process, in contrast to downloading
and opening any other known file capable of executing [the] attacker’s code.”

The patches and the renewed interest^[4]
in the zero-day bug follow active exploitation^[5]
of the “Follina^[6]” remote code execution
vulnerability by leveraging malware-laced Word documents that abuse
the “ms-msdt:” protocol URI scheme.

According to enterprise security firm Proofpoint, the flaw
(CVE-2022-30190, CVSS score: 7.8) is being weaponized by a threat
actor tracked as TA570^[7]
to deliver the QBot^[8]
(aka Qakbot) information-stealing trojan.

“Actor uses thread hijacked messages with HTML attachments
which, if opened, drop a ZIP archive,” the company said^[9]
in a series of tweets detailing the phishing attacks.

“Archive contains an IMG with a Word doc, shortcut file, and
DLL. The LNK will execute the DLL to start QBot. The doc will load
and execute a HTML file containing PowerShell abusing
CVE-2022-30190 used to download and execute Qbot.”

QBot has also been employed by initial access brokers^[10] to gain initial access
to target networks, enabling ransomware affiliates to abuse the
foothold to deploy file-encrypting malware.

The DFIR Report, earlier this year, also documented^[11] how QBot infections
move at a rapid pace, enabling the malware to harvest browser data
and Outlook emails a mere 30 minutes after initial access and
propagate the payload to an adjacent workstation around the
50-minute mark.