mrobson
Staff
Staff

Description

 

In January 2020 security researcher Imre Rad identified a vulnerability he dubbed “DogWalk”[1]. This vulnerability was disclosed to Microsoft but Microsoft made the decision not to patch the vulnerability at this time as they believed it was part of legitimate functionality. On Tuesday this week however Microsoft did apply a patch for this vulnerability and allocated a formal CVE number, “CVE-2022-34713” following reports it has been observed being actively exploited in the wild[2].

 

The DogWalk vulnerability provides the ability to write files to a local system from a remote host. Whilst this vulnerability may seem minor in terms of risk it can bypass security controls that use mark of the web (MOTW) and bypasses many AV products, including defender, due to proxy execution through the Microsoft Diagnostics Tool (MSDT) executable. When this vulnerability is chained with other techniques it allows for RCE. For example, Microsoft reports that they have observed threat actors exploiting this vulnerability to save malicious executables to a victim’s startup directory (T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder). Executables in this directory will be automatically executed by a victim endpoint on user login to an affected endpoint. A visual diagram of such an attack is provided below in Figure 1.

 

mrobson_0-1660399841188.png

 

Figure 1. Attack diagram associated with in-the-wild DogWalk exploitation.

 

FortiEDR Detection and Mitigation

FortiEDR will not detect or mitigate the file write directly but will block subsequent execution of malicious executables dropped through this exploitation, ultimately preventing exploitation of this vulnerability. These mitigations are effective in both v4.x and v5.x collectors.

 

Protection from this post-exploitation activity is through FortiEDR execution prevention policies and will prevent a malicious file from executing if it is successfully written to the startup directory or anywhere else on a protected endpoint. FortiEDR does not use MOTW as a sole means of detecting anomalous files nor does it whitelist executables just because they are created by signed Microsoft binaries so the use of this vulnerability to exploit these controls will not subvert FortiEDR. The execution prevention policy includes machine learning, integrations with FortiGuard Threat intelligence and online sandboxing to prevent malicious or suspicious files from executing.

 

Conclusion

 

Whilst this vulnerability poses significantly less risk than Follina, it still provides a valid RCE path for threat actors to exploit. Given that Microsoft has observed exploitation of this vulnerability in-the-wild users should ensure they have patched their operating systems to provide the best protection. FortiEDR will provide protection from expected post-exploitation activity, namely anomalous execution from the startup directory but patching the Windows OS is the most effective protection against DogWalk exploitation.

 

For examples of some of the many other threats FortiEDR can protect endpoints against, checkout other KB articles and IA reports here: https://www.fortinet.com/fortiguard/threat-and-incident-notifications

 

[1] https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd

[2] https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-windows-dogwalk-zero-day-exploited...

Contributors