Windows Remote Assistance

The Windows Remote Assistance tool that ships with all Windows distributions can be can be abused for clever hacks in targeted attacks.

Belgian security researcher Nabeel Ahmed discovered a vulnerability in this tool in February last year and reported it to Microsoft in October. A patch for the issue —tracked as CVE-2018-0878— was included with the March 2018 Patch Tuesday, released last week.

Vulnerability ideal for data exfiltration

The vulnerability allows an attacker to extract any file from a victim's computer without the target's knowledge and upload it to a remote server.

Because of this, the vulnerability is perfect for data exfiltration and can be used to sneakily steal any file from a victim's computer.

The good news is that this cannot be mass-exploited and needs social engineering to trick a victim into opening a remote assistance session.

How the hack works

To understand how this vulnerability/hack works, users must first know how Windows Remote Assistance tool works.

As the name implies, this is a remote help tool, similar to TeamViewer, only it's made by Microsoft and bundled with all Windows versions since XP.

When someone requests help from another user via the Remote Assistance tool, the app generates a file named "Invitation.msrcincident."

The user who requests help needs to send this file via email or any other means to the person that has agreed to help. The "helper" needs to double-click this file to connect to the "requester's" computer via a remote desktop session.

The "Invitation.msrcincident" is nothing more than an XML file containing various configuration data. Ahmed discovered that Microsoft failed to sanitize this file and he was able to embed a well-known XML External Entity (XEE) exploit in the invitation file.

When the victim opens the boobytrapped Invitation.msrcincident, the victim's Windows Remote Assistance tool can be tricked into taking a local file and uploading it to a remote server.

Hack useful in targeted attacks

Attackers could use this vulnerability to recover files containing sensitive information, known to exist on a target's PC, such as logs, backups, database files, INI and other settings files that may contain passwords or other configuration options.

As mentioned before, this type of vulnerability cannot be mass-exploited and requires convincing a victim into providing technical support in the first place. Hence, CVE-2018-0878 is ideal only for a small subset of targeted attacks against certain high-profile individuals open to providing technical assistance.

Microsoft has shipped patches for all Windows 7 and later OS versions. On modern-day Windows 10 systems, Microsoft has replaced the aging Remote Assistance app with a newer tool named Quick Assist —which is not vulnerable to this type of attack, as it uses invite codes instead of invitation files.

Related Articles:

New Fallout Exploit Kit Drops GandCrab Ransomware or Redirects to PUPs

IC3 Issues Alert Regarding Remote Desktop Protocol (RDP) Attacks

0Day Windows JET Database Vulnerability disclosed by Zero Day Initiative

Windows Systems Vulnerable to FragmentSmack, 90s-Like DoS Bug

Microsoft Is Updating Office Desktop on Windows With New Features for Insiders