lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 15 Jan 2020 09:21:50 +0100
From: Imre Rad <>
Subject: [FD] .diagcab directory traversal leading to arbitrary code

I identified a flaw in the implementation of Microsoft's
Troubleshooter technology that could lead to remote code execution if
a crafted .diagcab file is opened by the victim. The exploit leverages
a rogue webdav server to trick MSDT to drop files to attacker
controller locations on the file system.

If you see the following pattern in any Windows applications, they
might be vulnerable too:

#define MAXPATH 0x104

TCHAR attackerControlledSourcePath[MAXPATH]; // this is the "user input"

TCHAR tempDirectory[MAXPATH];
GetTempPathW(MAXPATH, tempDirectory);

TCHAR allFilesFromAttackerControlledSourcePath[MAXPATH];
StringCchPrintfW(allFilesFromAttackerControlledSourcePath, MAXPATH,
L"%s\\*.*", AttackerControlledSourcePath);
hFind = FindFirstFile(allFilesFromAttackerControlledSourcePath, &FindFileData);

do {
   TCHAR srcFile[MAXPATH];
   TCHAR dstFile[MAXPATH];
   StringCchPrintfW(srcFile, MAXPATH, L"%s\\%s",
attackerControlledSourcePath, FindFileData.cFileName);
   StringCchPrintfW(dstFile, MAXPATH, L"%s\\%s", tempDirectory,

   CopyFileW(srcFile, dstFile, TRUE);

while (FindNextFile(hFind, &FindFileData) != 0);FindClose(hFind);

The thing is, the FindFirstFile/FindNextFile APIs could return file
entries with path separator character in them; I implemented a rogue
webdav server to demonstrate this:

C:\Projects\diagcab>dir \\\DavWWWRoot\package
Volume in drive \\\DavWWWRoot has no label.
Volume Serial Number is 0000-0000
Directory of \\\DavWWWRoot\package
2017. 07. 12.  11:10    <DIR>          .
2017. 07. 12.  11:10    <DIR>          ..
2017. 07. 12.  10:48            27 648
1 File(s)         27 648 bytes
2 Dir(s) 251 292 504 064 bytes free

Microsoft refused to fix this issue, so it is recommended to stay away
from this file type.

You can find the full write up and the online demo project here:

And the source files here:


Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists