New Cross-site Scripting Attack GrimResource Exposed in Windows 11

TapTechNews, June 25 - ElasticSecurity, a network security company, released a blog post on June 22, revealing a brand-new attack technology named GrimResource, utilizing specially crafted Microsoft Management Console (MMC) files and unpatched Windows cross-site scripting (XSS) vulnerability to execute arbitrary code.

ElasticSecurity discovered a sample (sccm-updater.msc) uploaded to VirusTotal on June 6 of this year and found that hackers have already launched network attacks using GrimResource, and the cross-site scripting vulnerability has not been patched in the latest Windows 11 version.

The GrimResource attack starts with a malicious MSC file, which attempts to execute arbitrary JavaScript through a forged URL by exploiting a DOM-based cross-site scripting vulnerability in the apds.dll library.

The vulnerability was reported to Adobe and Microsoft in October 2018. Although both companies conducted investigations, Microsoft determined that the vulnerability did not meet the criteria for immediate repair.

As of March 2019, the cross-site scripting vulnerability remains unpatched and it is unclear whether it has been resolved.

Malicious MSC files distributed by attackers contain references to vulnerable APDS resources existing in the StringTable section, so when the target opens this file, MMC processes it and triggers JS execution in the mmc.exe context.

Elastic explained that cross-site scripting vulnerability can be combined with the DotNetToJScript technology to execute arbitrary.NET code through the JavaScript engine, bypassing any security measures.

TapTechNews attaches the following cross-site scripting demonstration image: