Referenced as DogWalk, the issue relates to a path traversal flaw that, when a potential target opens a specially created “.diagcab” archive file that contains a diagnostics configuration file, can be exploited to stash a malicious executable file to the Windows Start-up folder.
The idea is that the payload would get executed the next time the victim restarts the system and logs in. This vulnerability affects all Windows versions, starting from Windows 7 and Server Server 2008.
The security researcher Imre Rad first disclosed the issue in January 2020 after Microsoft said that it was not a security issue.
Microsoft stated: “There are a number of file types that can execute code in such a way but aren’t technically ‘executables’ and a number of these are considered unsafe for users to download/receive in email, even ‘.diagcab’ is blocked by default in Outlook on the web and other places.”
Typically, all files downloaded and received via email include a Mark-of-the-Web (MOTW) tag that determines the emails origin and triggers an appropriate security response. The MSDT application allows the .digacab file to be opened without warning, as the MSDT application is not designed to check this flag, according to 0patch’s Mitja Kolsek.
Kolsek said, “outlook is not the only delivery vehicle: such file is cheerfully downloaded by all major browsers including Microsoft Edge by simply visiting(!) a website, and it only takes a single click (or mis-click) in the browser’s downloads list to have it opened.”
“No warning is shown in the process, in contrast to downloading and opening any other known file capable of executing [the] attacker’s code.”
This renewed interest in the zero-day bug follows active exploitation of the “Follina” remote code execution vulnerability by using malware-laced Word documents that exploit the “ms-msdt:’ protocol URI system.