Microsoft Windows Support Diagnostic Tool (MSDT) RCE Vulnerability
Alternate Name: Follina, Dog Walk, MSDT Exploit
CVE Number: CVE-2022-30190
CVSS Rating: 7.8
Vulnerability Class: Remote Code Execution
Exploitable: Yes
Attack Vector: Social Engineering / Phishing
Reported by crazyman, leader of the Shadow Chaser Group
OS Affected: Microsoft Windows 7
Microsoft Windows 8, 8.1, MS Windows 10
Microsoft Windows Server 2008, 2012, 2016, 2019, 2022
Microsoft Windows 11 is also affected
Straight from the front lines, The MSDT Dogwalk Exploit
Every day there are news reports about a new threat of some kind, or a successful attack resulting in loss of data, loss of reputation, or, millions of dollars lost. A new Microsoft zero-day vulnerability, or Cisco being attacked, or from any vendor for that matter, is a common occurrence nowadays. The quality and accuracy of these vulnerability reports may vary, but if you read enough of them, you’ll see a few familiar story lines repeating themselves like, it’s a feature, not a bug, [OR] “is this a bug or a vulnerability?”.
“An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application,” Microsoft explains.
The timeline of this vulnerability brings up an interesting debate, security researchers often like to stretch the idea of how exploitable a given vulnerability could be, as opposed to reality, and it reflects from time to time in certain vulnerability reports. In this instance, the security researchers have nailed it, stating that a .diagcab file can be used to gain code execution on the victim’s machine. I don’t want to open up a gordian knot, by debating whether this is a bug, or a vulnerability, although the disclosure timeline and Microsoft’s explanation makes Dogwalk a good candidate for the “bug or vulnerability” debate and whether Microsoft should have responded quicker.
In late May/early June 2022, reports of this vulnerability began to emerge that a new vulnerability had been discovered. Microsoft opted to provide a workaround, and took a stance, it’s a bug, it doesn’t warrant a patch.
Meanwhile, DHS / CISA and DoD agencies started alerting their teams internally about attacks in the wild, using threat intelligence shared by the community, to prevent, detect and respond to the MSDT exploit. This bug just leaped out of nowhere, most people still can’t fathom a diagnostic cab file infecting their machine akin to PDF and browser exploits, which then became common place in the threat actor’s toolchain.
Did You Know? Even though .diagcab files are downloaded from the Internet and include a Mark-of-the-Web (MOTW), Windows ignores it for this file type and allows the file to be opened without a warning making an interesting attack vector for red teamers.
An attacker can trigger a remote code execution vulnerability by creating a malicious. diagcab file and then convincing a victim to open it to deploy arbitrary malware on the victim’s machine. The malware’s payload will then be automatically executed as part of persistence tactics on the subsequent reboot.
Around the last week of July 2022, Microsoft started noticing the activity around “this bug”, and came up with the following advisory,
MS Advisory: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190 . Despite previously claiming the DogWalk vulnerability did not constitute a security issue, Microsoft has now released a patch to stop attackers from actively exploiting the vulnerability.
This leaves us with a question, have we learned from history? or history repeating itself?
We feel Microsoft could perhaps be criticized for failing to consider how easily files with known extensions are used to deliver malicious payloads, year on year.
Let’s conclude by understanding the Internet’s problems are global problems. In the author’s humble opinion, we need to learn from these lessons to avoid history repeating itself, over and over, and share threat intelligence collaboratively with the broader community, so that we can respond to threats better than yesterday.
Qbot Exploits Follina Vulnerability
Qbot (aka Qakbot) is a very active banking trojan exploiting the CVE-2022-30190 (Follina vulnerability) as observed by LMNTRIX CDC, from a recently concluded incident response investigation. They used a malicious Word document to embed the exploit code for gaining initial access…
Qbot can be used to perform the following actions,
- Reconnaissance
- Lateral Movement
- Data Leakage
- Payload Deployment
- Brokering initial access for other threat actors and known affiliates
When Qbot’s DLL payload is injected into the explorer.exe process, the malware establishes C2 connectivity and can perform discovery, data exfiltration, or initial access broker depending on the given context.
List of IOC (Indicators)
- Main object – 05-2022-0438.doc
- sha256 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
- sha1 06727ffda60359236a8029e0b3e8a0fd11c23313
- md5 52945af1def85b171870b31fa4782e52
- Dropped executable file
- sha256 C:\Users\admin\AppData\Local\Temp\SDIAG_ecb8c0a2-7a1e-4b6c-8ae0-2245f03bcc15\DiagPackage.dll 3218488d62cb0858101d2ec63ec73a032bc9787f5f87cb46abbea4477c97b16f
- sha256 C:\Users\admin\AppData\Local\Temp\SDIAG_ecb8c0a2-7a1e-4b6c-8ae0-2245f03bcc15\en-US\DiagPackage.dll.mui c6d837ec0850e22c83b400fcded1791a2f4f99f0c56d6fc7d93e92a8b72c098d
- sha256 C:\Users\admin\AppData\Local\Temp\r5qxr4ie.dll aa967ae9f6d80bdbd0f315defa17aaee0e756e7e2ad0e5261d8254bc0af1cc02
- sha256 C:\Users\admin\AppData\Local\Temp\t52wyhbe.dll daf716cbe8810085251e6ef1e39869a9e61d929fac12ea5684c3b2caf993666b
- sha256 C:\Users\admin\AppData\Local\Temp\qtwoghs1.dll f5361b6c9db8ac25433ae21f9a7b6490cc372ce2b1f802e2b06d5b904ce97109
- DNS requests
- domain www[.]xmlformats[.]com
- Connections
- ip 141.105.65.149
- ip 20.42.65.85
- ip 13.107.42.16
- HTTP/HTTPS requests
- url hxxps://www[.]xmlformats[.]com/office/word/2022/wordprocessingDrawing/
- url hxxps://www[.]xmlformats[.]com/office/word/2022/
- url hxxps://www[.]xmlformats[.]com/office/word/2022/wordprocessingDrawing/RDF842l[.]html
Rules for Detecting the Dogwalk Exploit
MS Defender
DeviceProcessEvents | where ((ProcessCommandLine contains “WINWORD.EXE”) and (ProcessCommandLine contains “msdt.exe”) and (ProcessCommandLine contains “sdiagnhost.exe” or ProcessCommandLine contains “csc.exe” or ProcessCommandLine contains “PCWDiagnostic” or ProcessCommandLine contains “IT_ReBrowserForFile” or ProcessCommandLine contains “IT_BrowserForFile” or ProcessCommandLine contains “conhost.exe”))
Splunk
[Doc Malware]alert.severity = 2description = Detection (Rule ID: 74566a6a66aaasdq2ed)cron_schedule = 0 * * * *disabled = 1is_scheduled = 1is_visible = 1dispatch.earliest_time = -60m@mdispatch.latest_time = nowsearch = (source=”WinEventLog:*” AND (CommandLine=”*WINWORD.EXE*”) AND (CommandLine=”*msdt.exe*”) AND (CommandLine=”*sdiagnhost.exe*” OR CommandLine=”*csc.exe*” OR CommandLine=”*PCWDiagnostic*” OR CommandLine=”*IT_ReBrowserForFile*” OR CommandLine=”*IT_BrowserForFile*” OR CommandLine=”*conhost.exe*”))alert.suppress = 0alert.track = 1Elastic Query
(process.command_line:*WINWORD.EXE* AND process.command_line:*msdt.exe* AND process.command_line:(*sdiagnhost.exe* OR *csc.exe* OR *PCWDiagnostic* OR *IT_ReBrowserForFile* OR *IT_BrowserForFile* OR *conhost.exe*))
We would like to thank crazyman (Shadow Chaser Group), Imre Rad for original research findings, publishing vulnerability details and a Proof of Concept, j00sean for shedding more light, and enabling the community at large to look into this vulnerability in-depth.
This lab article is a living blog post… We will update this blog post, as appropriate.