Microsoft Management Console Bugs Allow Windows Takeover

microsoft management console patch

Multiple cross-site scripting (XSS) bugs and an XML external entity (XXE) problem opens the door to takeover of admin desktops.

A Windows interface that allows system administrators to configure and monitor systems from an admin level has several vulnerabilities that would allow an attacker to install malicious payloads and even take over a target, privileged machine.

The bugs are grouped under one umbrella (CVE-2019-0948) and are found in the Microsoft Management Console (MMC), according to Check Point researchers Eran Vaknin and Alon Boxiner,

“The goal of MMC is to provide a programming platform for creating and hosting applications that manage Microsoft Windows-based environments, and to provide a simple, consistent and integrated management user interface and administration model,” they explained in a breakdown of the vulnerabilities, given to clients last week but just made public on Monday. As such, a compromised PC would offer access to a range of privileged functions and access.

The issues include multiple cross-site scripting (XSS) bugs and XML external entity (XXE) problems. One set of flaws includes multiple XSS vulnerabilities that exist in WebView.

Attackers can exploit the bugs by abusing the “snap-in” mechanism in MMC, the researchers said. MMC snap-ins are the actual management tools available for the platform. The console — sometimes referred to as a “tools host” — is simply a framework into which the snap-ins are added. Snap-ins include ActiveX Control, Link to Web Address and so on.

To exploit the vulnerability, an attacker would create a snap-in file (with the .msc file extension) containing specially crafted XML content, and then convince an authenticated user to import the file using any number of social-engineering techniques.

The researchers explained that if an attacker creates a file with the Link to Web Address snap-in, he can insert a URL link to his own server within it, thus directing victims to an HTML page with a malicious payload.

“As the victim opens the malicious .msc file, a WebView is opened (within the MMC window) and the malicious payload is executed,” the researchers explained. “We have successfully managed to insert a malicious URL link that contains malicious payloads, such as redirection to SMB server that will capture the user NTLM hash. Moreover, it is also possible to execute VBS script on the victims’ host via the mentioned WebView.”

Similarly, an attacker can choose to create a file with the ActiveX Control snap-in (all ActiveX controls are vulnerable, the researchers said) and save it as an .msc file. “In the .msc file, under the StringsTables section, the attacker changes the third string value to a malicious URL under his control, containing an HTML page with a malicious payload,” the two explained.

Also included in the CVE is an XXE vulnerability due to a faulty XML parser.

“A victim opens the MMC and chooses the event viewer snap-in and clicks on ‘Action’ – and then on ‘Import Custom View,'” the researchers said. “As soon as a malicious XML file is chosen (containing an XXE payload) any file from the victim’s host is sent to the attacker.”

Microsoft, in its advisory, described it tersely as a moderate-severity information-disclosure bug.

“An information-disclosure vulnerability exists in the Windows Event Viewer (eventvwr.msc) when it improperly parses XML input containing a reference to an external entity,” it said. “An attacker who successfully exploited this vulnerability could read arbitrary files via an XML external entity (XXE) declaration.”

Microsoft patched the issues in its June Patch Tuesday update.

However, Vaknin and Boxiner said that the bugs could allow a more serious attack than just information disclosure.

The researchers told Threatpost, “The most notable aspect is that MMC files are being used…by IT administrators, anti-virus does not categorize those files as malicious and it is possible to take control over the victim PC by exploiting the vulnerabilities.” That PC would have admin status, allowing adversaries to penetrate further into the network.

Windows 7, Windows 8.1, Windows 10, and Windows Server 2008 to Windows Server 2019 are vulnerable and should be updated, they added. So far, there is no evidence of exploitation.

Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. Join Threatpost and a panel of experts from Malwarebytes, Recorded Future and Moss Adams as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.

Suggested articles