Several vulnerabilities that "allow an attacker to deliver a malicious payload" have been found in Microsoft Management Console (MMC), reports Check Point Research.
MMC has an integrated snap-in component and attackers can exploit these vulnerabilities via the snap-in. An attacker would create their own snap-in file (.msc file extension) containing 'malicious' XML content, which the victim then imports. When the malicious .msc file opens, the payload is executed.
Another way in for an attacker is to create a file with the ActiveX control snap-in and save it as an .msc file (all ActiveX controls are vulnerable, according to Check Point).
"In the .msc file, under the StringsTables section, the attacker changes the third string value to a malicious URL under his control, containing an HTML page with a malicious payload."
The CVE also contains an "XXE vulnerability due to a faulty XML parser", where the victim opens the MMC, chooses the event viewer snap-in and clicks on 'Action', then 'Import Custom View'. When the malicious XML file is chosen, any file from the victim's host is sent to the attacker.
Microsoft described the vulnerability as a moderate-severity information-disclosure bug, stating that "An information-disclosure vulnerability exists in the Windows Event Viewer (eventvwr.msc) when it improperly parses XML input containing a reference to an external entity. An attacker who successfully exploited this vulnerability could read arbitrary files via an XML external entity (XXE) declaration."
Check Point, however, say the bugs could allow a more serious attack than just information disclosure, telling Threatpost: "The most notable aspect is that MMC files are being used ... by IT administrators, anti-virus does not categorise those files as malicious and it is possible to take control over the victim PC by exploiting the vulnerabilities. That PC would have admin status, allowing adversaries to penetrate further into the network."
Windows 7, Windows 8.1, Windows 10, and Windows Server 2008 to Windows Server 2019 are vulnerable and should be updated, they added. So far, there is no evidence of exploitation.
The CVE - CVE-2019-0948 - to this vulnerability was released as part of June 11's Patch Tuesday.
Check Point researchers: Eran Vaknin and Alon Boxiner. Read their full report.
