Storm-1811's Quick-Assist phishing could have been worse
In early 2024, Microsoft published an blog about TA Storm-1811 using Quick Assist to conduct targeted social engineering attacks and deploy Black Basta ransomware.
Last updated
In early 2024, Microsoft published an blog about TA Storm-1811 using Quick Assist to conduct targeted social engineering attacks and deploy Black Basta ransomware.
Last updated
The full attack scenario is quite long, but could have been easier to execute a few months earlier.
Indeed, in October 2023, during redteam research, I discovered and reported a cross-site-scripting vulnerability in QuickAssist that could allow an attacker to bypass consent prompts in QuickAssist andtake full control over the computer without approval from the victim.
An attacker could :
Change its display name to spoof official Microsoft agents or anyone else
Execute javascript code on the victim’s Webview2 browser running QuickAssist, and communicate with the native app (and potentially exploit local vulnerabilities from there, if any)
Bypass consent prompts, especially the “Full Control” prompt required to remotely control the victim’s desktop
QuickAssist is a Webview2 built-in Windows utility to help someone by remotely viewing their desktop and eventually taking full control of their workstation to troubleshoot issues.
The helper must first send 6-long alphanumeric code to the perso who needs help (the sharer).
When run in normal operations, QuickAssist will display the following consent message to the sharer (on the left):
Once the sharing has started, the helper cannot take control over the sharer’s desktop unless another consent request is approved by the sharer, as shown in the screenshot below :
This exploit is a combination of multiple issues (at the time) on the script https://remoteassistance.support.services.microsoft.com/bundles/mainapp
Below is a preview of the script before it was fixed :
First, JS (and CSS) minification errors could be seen at the beginning of the file, leading to cleartext developer comments in the script, as well as functions that should not have been shipped to production. This helps a lot understanding the code and looking for vulnerabilities.
Second, we can see that the javascript href protocol was added to the whitelist in ad tags using $compileProvider.aHrefSanitizationWhitelist, essentially enabling on(e) click XSS at all ng-bind-html locations in the application.
The XSS injection point is located inside the displayName variable that is being sent to the victim upon initializing the session.
First, the attacker must prepare the Quick Assist session to store the XSS payload to send to its victim.
Without diving too deep into the technical details, the easiest way I’ve found to successfully inject into the displayName value is to intercept the HTTP response received after sending a POST request to the following URL :
By intercepting the response, we can easily change values before they are stored in Javascript and sent in further requests and websocket messages.
The attacker must then ask its victim to initiate a remote assistance session using the attacker’s code, retrieved in the previous response. For example, the attacker could send a phishing email asking the user to install a critical security update by running QuickAssist and entering a specific code. It could also be provided during a tech-support scam call.
As soon as the victim enters the code and completes the first connection steps, the malicious payload will be rendered on QuickAssist to trick the user into executing the XSS.
Here is an example :
By playing with existing CSS rules and HTML, we can completely hide the original consent prompt to display any phishing message.
The displayed message contains a very basic malicious a tag which uses the javascript: scheme to run Javascript when clicked :
Full demo
Left pane is the attacker, right pane is the victim. Attacker trafic is intercepted and forged manually using Burpsuite, but the whole setup could have been fully automated.
FullControl consent bypass
The following javascript payload can be used to proceed with the sharing request and force the victim to set the sharing mode to “FullControl” without its consent.
Note that it is possible to send any other command available in QuickAssist native app using this method.
The full “FirstName” payload used in the video is below :
Credentials phishing and exfiltration
After triggering the XSS, a form can be added to the page to harvest credentials from QuickAssist window.
It is possible to exfiltrate harvested credentials via remoteassistanceprodacs.communication.azure.com since the communication channel is already established and it is allowed by CORS.
The JWT token and joinUri can be retrieved from `localStorage` to build an authenticated POST request to https://remoteassistanceprodacs.communication.azure.com/chat/threads/{joinUri}/messages?api-version=2021-09-07 , send the message, then retrieve it on the attacker’s side by sending an authenticated GET request to the same endpoint using their own credentials.
September 2023 : Discovery
18/10/2023 : MSRC Report
7/11/2023 : MSRC confirms vulnerability
10/11/2023 : $1000 bounty awarded (no CVE assigned)
Sometime early 2024 : Vulnerability fixed
