The Windows system in question is Microsoft Management Console (MMC), where several cross-site scripting bugs (XSS) and a single XML external entity (XXE) flaw are leaving admin PCs vulnerable. All the bugs are collected under CVE-2019-0948. Eran Vaknin and Alon Boxiner, researchers from security firm Check Point, published a description of the vulnerabilities: “The goal of MMC is to provide a programming platform for creating and hosting applications that manage Microsoft Windows-based environments, and to provide a simple, consistent and integrated management user interface and administration model,” they explained. By exploiting the flaws, attackers could gain elevated privileges on a machine. Creating an exploit involves compromising MMC’s snap-in feature. This mechanism are legitimate Windows tools, acting as a framework in the tools host console. Among the snap-ins located in MMC are ActiveX Control. An attacker could simply create a snap-in file with XML content which would fool an admin into importing the file through a social engineering scam. “As the victim opens the malicious .msc file, a WebView is opened (within the MMC window) and the malicious payload is executed,” the team says. “We have successfully managed to insert a malicious URL link that contains malicious payloads, such as redirection to SMB server that will capture the user NTLM hash. Moreover, it is also possible to execute VBS script on the victims’ host via the mentioned WebView.”
Microsoft Response
Microsoft has described the vulnerabilities in an accompanying advisory that describes the vulnerabilities as moderately severe. “An information-disclosure vulnerability exists in the Windows Event Viewer (eventvwr.msc) when it improperly parses XML input containing a reference to an external entity,” the company said. “An attacker who successfully exploited this vulnerability could read arbitrary files via an XML external entity (XXE) declaration.” It is worth noting Microsoft has already patched these problems during its June Patch Tuesday cumulative updates.