
Summary
The Microsoft Diagnostic Tool, specifically its DLL library 'sdiageng.dll', is vulnerable to a path traversal exploit. When processing a package configuration XML file from a diagcab archive, the tool can be manipulated by an attacker to specify a folder path that allows the inclusion of arbitrary files from the attacker's specified directory. This occurs because the tool copies files from the specified folder into a local temporary directory without proper validation of the path, potentially allowing the execution of malicious files on the target system. The impact of this vulnerability is significant, as it can be exploited for remote file execution, leading to code execution on the vulnerable system if an attacker successfully feeds a crafted diagcab archive. The detection rule is aimed at monitoring for execution events linked to the MSDT executable (msdt.exe) which involve diagcab files, helping identify potential exploitation attempts.
Categories
- Windows
- Endpoint
Data Sources
- Process
- Application Log
ATT&CK Techniques
- T1204
Created: 2024-02-09