Windows Remote Assistance flaw could be exploited to steal sensitive files

Pierluigi Paganini March 21, 2018

A critical flaw in the Windows Remote Assistance tool allows someone you trust to take over your PC so they can help you fix a problem, and vice-versa.

A critical vulnerability in Microsoft’s Windows Remote Assistance (Quick Assist) feature affects all versions of Windows to date, including Windows 10, 8.1, RT 8.1, and 7. The flaw could be exploited by a remote attacker to steal sensitive files on the targeted machine.
Windows Remote Assistance tool allows someone you trust to take over your PC so they can help you fix a problem, and vice-versa.

The Windows Remote Assistance feature relies on the Remote Desktop Protocol (RDP) to establish a secure connection with the person in need.

Trend Micro Zero Day Initiative researchers Nabeel Ahmed discovered an information disclosure vulnerability in Windows Remote Assistance tracked as CVE-2018-0878. An attacker can trigger the flaw to obtain information to further compromise the victim’s system.
Microsoft fixed the vulnerability this month with the patch Tuesday, the issue resides in the way Windows Remote Assistance processes XML External Entities (XXE).

The CVE-2018-0878 vulnerability affects Microsoft Windows Server 2016, Windows Server 2012 and R2, Windows Server 2008 SP2 and R2 SP1, Windows 10 (both 32- and 64-bit), Windows 8.1 (both 32- and 64-bit) and RT 8.1, and Windows 7 (both 32- and 64-bit).

Nabeel has also released online technical details and a proof-of-concept exploit code for the vulnerability.

The attacker can use the “Out-of-Band Data Retrieval” attack technique to exploit this vulnerability that resides in MSXML3 parser. The attacker offers the victim access to his computer via Windows Remote Assistance.

To set up a Windows Remote Assistance connection the attacker can:

  • Invite someone to help him;
  • Respond to someone who needs help.

When you invite someone to help you, an invitation file is generated (i.e. ‘invitation.msrcincident’) which contains XML data used for authentication.

In the following table are reported the parameters included in the request.

Windows Remote Assistance 2

The expert started using the MSXML3 to parse the XML data and discovered it does not properly validate the content. This means that an attacker can send a specially crafted Remote Assistance invitation file containing a malicious code to the victim that instructs the target computer to submit the content of specific files from known locations to a remote server controlled by the attackers.

“To exploit this condition, an attacker would need to send a specially crafted Remote Assistance invitation file to a user. A attacker could then steal text files from known locations on the victim’s machine, under the context of the user, or alternatively, steal text information from URLs accessible to the victim.” reads the security advisory published by Microsoft.

“The stolen information could be submitted as part of the URL in HTTP request(s) to the attacker. In all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action.”

Windows Remote Assistance

The expert warns of mass scale phishing attacks that leverage on  .msrcincident invitation files that could potentially result in loss of sensitive information.

“This XXE vulnerability can be genuinely used in mass scale phishing attacks targeting individuals believing they are truly helping another individual with an IT problem.” Ahmed concluded.
“Totally unaware that the .msrcincident invitation file could potentially result in loss of sensitive information.  An attacker could target specific log/config files containing username/passwords. ,” Ahmed warns.

The expert developed a tool to automate XXE exfiltration of multiple files by brute-forcing certain directory locations, the software is available on GitHub.

Don’t waste time,  install the latest update for Windows Remote Assistance as soon as possible.

[adrotate banner=”9″] [adrotate banner=”12″]  

Pierluigi Paganini

(Security Affairs – Windows Remote Assistance, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment