14 DAY TRIAL // A vulnerability in Windows that was resolved by Microsoft on this month’s Patch Tuesday cycle allows hackers to steal sensitive files using the built-in Remote Assistance solution.
Remote Assistance, which comes by default in Windows, enables users to receive technical support by sending just an invitation file, which in turn allows an engineer to connect to their system by simply launching this file and without any other authentication methods.
While the process is fairly smooth and is indeed very effective when it comes to receiving technical support, it turns out it leaves the door open to hackers who might want to extract certain data from a system.
Researcher Nabeel Ahmed has discovered a flaw in the XML invitation file which can be exploited to automatically look for a certain file after the connection is established and upload it to a pre-defined remote server.
Users protected unless they open unknown invitations
Since the hacker has to alter the configuration data in the XML file and then convince the target to open the invitation, it means users are pretty much secure unless they launch files coming from sources they don’t trust. Furthermore, hackers can only extract specific files that they know they exist on the target system, though this method can be used for logs and backups.
“To exploit this condition, an attacker would need to send a specially crafted Remote Assistance invitation file to a user. A attacker could then steal text files from known locations on the victim's machine, under the context of the user, or alternatively, steal text information from URLs accessible to the victim,” Microsoft explains.
“The stolen information could be submitted as part of the URL in HTTP request(s) to the attacker. In all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action.”
The vulnerability was documented in CVE-2018-0878 and was reported to Microsoft in November last year. A patch was released in March 2018, so up-to-date systems are protected against exploits aimed at this flaw.