Microsoft Support Diagnostic Tool
{{short description|Microsoft Windows service}}
The Microsoft Support Diagnostic Tool (MSDT) is a legacy service in Microsoft Windows that allows Microsoft technical support agents to analyze diagnostic data remotely for troubleshooting purposes.{{cite news|url=https://petri.com/microsoft-acknowledges-office-zero-day-flaw-windows-diagnostic-tool/|author=Rabia Noureen|date=May 31, 2022|work=petri.com|title=Microsoft Acknowledges Office Zero-Day Flaw Affecting Windows Diagnostic Tool}} In April 2022 it was observed to have a security vulnerability that allowed remote code execution which was being exploited to attack computers in Russia and Belarus, and later against the Tibetan government in exile.{{cite news|url=https://techcrunch.com/2022/06/01/china-backed-hackers-are-exploiting-unpatched-microsoft-zero-day/|title=China-backed hackers are exploiting unpatched Microsoft zero-day|author=Carly Page|date=June 1, 2022|work=techcrunch.com}} Microsoft advised a temporary workaround of disabling the MSDT by editing the Windows registry.{{cite web|url=https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/|title=Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability|author=MSRC|date=May 30, 2022}}
Use
When contacting support the user is told to run MSDT and given a unique "passkey" which they enter. They are also given an "incident number" to uniquely identify their case. The MSDT can also be run offline which will generate a .CAB file which can be uploaded from a computer with an internet connection.{{cite web|url=https://www.thewindowsclub.com/how-to-run-microsoft-support-diagnostic-tool-in-windows-7|title=How to run Microsoft Support Diagnostic Tool in Windows 10|date=2 May 2019 }}
Security vulnerabilities
{{Infobox bug
|name = Follina
|alt =
|image =
|caption =
|CVE = {{CVE|2022-30190}}
|discovered=Publicly disclosed {{Start date and age|2022|5|27}}
|patched = June 14, 2022
|affected software = Microsoft Security Diagnostic Tool
|website =
}}
= Follina =
Follina is the name given to a remote code execution (RCE) vulnerability, a type of arbitrary code execution (ACE) exploit, in the Microsoft Support Diagnostic Tool (MSDT) which was first widely publicized on May 27, 2022, by a security research group called Nao Sec.{{cite news |author=Corin Faife |date=Jun 1, 2022 |title=China-linked hackers are exploiting a new vulnerability in Microsoft Office |work=theverge.com |url=https://www.theverge.com/2022/6/1/23150318/microsoft-office-china-hackers-exploiting-follina-vulnerability-tibet}} This exploit allows a remote attacker to use a Microsoft Office document template to execute code via MSDT. This works by exploiting the ability of Microsoft Office document templates to download additional content from a remote server. If the size of the downloaded content is large enough it causes a buffer overflow allowing a payload of Powershell code to be executed without explicit notification to the user. On May 30 Microsoft issued CVE-2022-30190{{cite web |title=Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability |url=https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190}} with guidance that users should disable MSDT.{{cite web |author=MSRC |date=May 30, 2022 |title=Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability |url=https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/}} Malicious actors have been observed exploiting the bug to attack computers in Russia and Belarus since April, and it is believed Chinese state actors had been exploiting it to attack the Tibetan government in exile based in India.{{cite news |author=Carly Page |date=June 1, 2022 |title=China-backed hackers are exploiting unpatched Microsoft zero-day |work=techcrunch.com |url=https://techcrunch.com/2022/06/01/china-backed-hackers-are-exploiting-unpatched-microsoft-zero-day/}} Microsoft patched this vulnerability in its June 2022 patches.{{cite news |last=Vijayan |first=Jai |date=June 14, 2022 |title=Microsoft Patches 'Follina' Zero-Day Flaw in Monthly Security Update |work=Dark Reading |location= |url=https://www.darkreading.com/vulnerabilities-threats/microsoft-june-security-update-includes-patch-for-follina-zero-day-flaw |access-date=June 14, 2022}}
= DogWalk =
The DogWalk vulnerability is a remote code execution (RCE) vulnerability in the Microsoft Support Diagnostic Tool (MSDT). It was first reported in January 2020, but Microsoft initially did not consider it to be a security issue. However, the vulnerability was later exploited in the wild, and Microsoft released a patch for it in August 2022.
{{Infobox bug
|name = DogWalk
|alt =
|image =
|caption =
|CVE = {{CVE|2022-34713}}
|discovered=Publicly disclosed {{Start date and age|2020|1|27}}
|patched = June 14, 2022
|affected software = Microsoft Security Diagnostic Tool
|website = [https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34713 Microsoft Vulnerability Tracker for DogWalk]
|affected hardware=All Windows Computers, Mobiles and Servers}}
The [https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34713 vulnerability] is caused by a path traversal vulnerability in the sdiageng.dll library. This vulnerability allows an attacker to trick a victim into opening a malicious diagcab file, which is a type of Windows cabinet file that is used to store support files. When the diagcab file is opened, it triggers the MSDT tool, which then executes the malicious code.
Originally discovered by Mitja Kolsek, the DogWalk vulnerability is caused by a path traversal vulnerability in the sdiageng.dll library. This vulnerability allows an attacker to trick a victim into opening a malicious diagcab file, which is a type of Windows cabinet file that is used to store support files. When the diagcab file is opened, it triggers the MSDT tool, which then executes the malicious code.
The vulnerability is exploited by creating a malicious diagcab file that contains a specially crafted path. This path contains a sequence of characters that is designed to exploit the path traversal vulnerability in the sdiageng.dll library. When the diagcab file is opened, the MSDT tool will attempt to follow the path. However, the path will contain characters that are not valid for a Windows path. This will cause the MSDT tool to crash.
When the MSDT tool crashes, it will generate a memory dump. This memory dump will contain the malicious code that was executed by the MSDT tool. The attacker can then use this memory dump to extract the malicious code and execute it on their own computer.{{Cite web |title=New 'DogWalk' Windows zero-day bug gets free unofficial patches |url=https://www.bleepingcomputer.com/news/security/new-dogwalk-windows-zero-day-bug-gets-free-unofficial-patches/ |access-date=2023-05-22 |website=BleepingComputer |language=en-us}}{{Cite web |title=Microsoft patches Windows DogWalk zero-day exploited in attacks |url=https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-windows-dogwalk-zero-day-exploited-in-attacks/ |access-date=2023-05-22 |website=BleepingComputer |language=en-us}}
Retirement
Microsoft will no longer be supporting the Windows legacy inbox Troubleshooters. In 2025, Microsoft will remove the MSDT platform entirely.{{Cite web |title=Deprecation of Microsoft Support Diagnostic Tool (MSDT) and MSDT Troubleshooters - Microsoft Support |url=https://support.microsoft.com/en-us/windows/deprecation-of-microsoft-support-diagnostic-tool-msdt-and-msdt-troubleshooters-0c5ac9a2-1600-4539-b9d0-069e71f9040a |access-date=2023-05-22 |website=support.microsoft.com}} Get Help is the replacement tool.
Windows versions
- Windows 7
- Windows 8.1
- Windows 10
- Windows 11 (up to 22H2)
Future versions and feature upgrades will deprecate the MSDT after May 23, 2023.
References
{{reflist}}
{{Windows Components}}