Once the "victim" clicks on "Allow" an screen sharing session is setup which is basically RDP over HTTPS using WebSockets. I'm sure you'll agree that the right one looks much more convincing (apart from the name "SupportMcSupportFace", which can be changed obviously!) Switching boolean flags from "false to "true" for "IsMicrosoft" and "IsMicrosoftSupport".īelow you'll see the comparison between not changing those flags and changing them.Īs you can see above there is a slight difference in the prompt the "victim" receives. I've changed my FirstName, LastName, IsMicrosoft, IsMicrosoftSupport and CompanyName parameters. You're probably wondering what if you change these values? Well, that's what I did. UserInfo contains some really interesting options: ![]() You've probably figured it out by now and noticed a very interesting parameter in this JSON request, namely "userInfo" I'll give you a minute to look at the above request and figure out what's wrong here. After clicking on "continue" Quick Assist will perform some additional HTTP requests and one of them looks like this: Now we are reaching another interesting point within this whole process. The attacker/scammer will (most) likely choose the first option and simply take control of the victim's machine. In my opinion this is strange to give the "helper" (attacker/scammer) the option to choose what he wants to do with the "victim". The attacker has the choice to either take full control of the remote computer or simply view the screen without controlling any input devices. The attacker/scammer's "Quick Assist" will wait for a reply from the ".com" servers to initiate the next step of the process.Īfter some HTTP calls the attacker is prompted with the following window: Now we simply wait for the victim to put in the code and the victim will get a "waiting" screen. The victim will get an email that looks something like the screenshot above. (FUN FACT: you can put pretty much anything in the "code" parameter value) Now this is the first step that makes the "victim" seem confident he/she is talking to a real Microsoft Support representative.Ībove you can see the HTTP request, it's a JSON request with "destination" and "code" as the 2 parameters. The sender of the mail is a legitimate Microsoft email address. Interesting enough this mail is delivered without any information regarding the person who exactly is sending it. Now here things get interesting, since a scammer would like to make the victim believe that he is genuinely someone from Microsoft providing support he can choose the option to send the code via email. There are several ways to send this code as you can see above. Once you've logged in, Quick Assist will continue its HTTP requests (HINT: it's setting up an anonymous Skype Businness meeting room) and retrieve a security code which needs to be sent to the person/victim requiring assistance. In order to be able to assist a person you'll have to sign-in/up with a microsoft account. If we continue down that route you can see a bunch of HTTP requests going back and forth and you'll be finally asked to sign-in. You get 2 options, either provide assistance or request assistance.Īn attacker/scammer would obviously like to "assist" another person. Once you startup "Quick Assist" it looks as follows: ![]() I fired up Burp Suite and let everything pass through the proxy and started looking at the HTTP requests coming in. So I stumbled upon "Quick Assist" I was wondering if it was just MSRA repackaged in a fancy name. As you may recall, last year i've found a quite simple vulnerability in Microsoft's Remote Assistance tool which allowed users to ask for assistance. ![]() Quick Assist User Spoofing (Vuln/Feature)Īs any researcher other would do, I started looking at the interesting features Microsoft added to Windows 10. Microsoft decided not to fix it since it needs high level of social engineering to exploit this vulnerability. This vulnerability allows attackers to impersonate Microsoft Support via the built-in remote support tool of Windows 10 named "Quick Assist".
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |