Cisco recently reissued a patch for a serious vulnerability in its Webex Meetings platform after researchers from SecureAuth discovered the initial pa
Cisco recently reissued a patch for a serious vulnerability in its Webex Meetings platform after researchers from SecureAuth discovered the initial patch wasn’t effective. What was wrong with the Webex patch and how did attackers bypass it?
The new patch for Cisco’s Webex Meetings platform was reissued after researchers found that the previous service update had failed to properly validate the parameters supplied by the user. The new Cisco patch addresses a privilege escalation vulnerability tracked as CVE-2018-15442.
The original vulnerability enabled a local attacker to gain SYSTEM user privileges by starting the application’s update service with a crafted, malicious command argument. The original Cisco patch only forced application update services to use files that had been signed by Webex. However, that patch still enabled an attacker to bypass the patch by using hijacked dynamic-link libraries (DLLs) to execute malicious DLL files on the system when the user runs a Windows application.
To demonstrate how they exploited the vulnerability, SecureAuth researchers created a batch file that copied the ptUpdate.exe binary file from the installation folder to a local attacker-controlled folder. Once inside the folder, the researchers created a simple DLL to execute the Notepad editor when the program loads to demonstrate that they could control the system.
The malicious DLL file, named wbxtrace.dll, is created using the certutil.exe program — a utility for viewing and managing certificates — and placed in the same folder with the Notepad editor DLL. Once all these steps are taken, the Notepad program can run with full SYSTEM user privileges. An actual attacker would use an application other than Notepad to exploit the escalated privileges on the target system.
The researchers demonstrated how attackers can start webexservice with the following command:
sc start webexservice install software-update 1 “attacker-controlled-path.”
If parameter 1 fails, then the batch moves on to use parameter 2 with the command line:
sc start webexservice install software-update 2 “attacker-controlled-path.”
Once the batch file is loaded, the update service calls the malicious DLL with the displayed parameters.
The vulnerable products include Cisco Webex Meetings Desktop App releases prior to 33.6.4 and Cisco Webex Productivity Tools releases 32.6.0 and later prior to 33.0.6. Likewise, Cisco has reissued the patch for Cisco Webex Meetings Desktop App release 33.6.4 and later releases.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)