Pierluigi Paganini February 28, 2019

A vulnerability in the update service of the Cisco Webex Meetings Desktop App for Windows could allow elevation of privilege

A vulnerability in the update service of the Cisco Webex Meetings Desktop App for Windows tracked as CVE-2019-1674 could be exploited by an unprivileged local attacker to elevate privileges and run arbitrary commands using the SYSTEM user privileges.

“A vulnerability in the update service of Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user.” reads the security advisory published by Cisco.

“The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges.”

The flaw is a Command Injection vulnerability that could be also exploited remotely by leveraging the operating system remote management tools.

The update service of Cisco Webex Meetings Desktop App for Windows fails to validate version numbers of new files.
An attacker could exploit this flaw by replacing the Cisco Webex Meetings update binary with a previous vulnerable version through a tainted update that will load a malicious DLL leading to privilege escalation and allowing hackers to run arbitrary commands with SYSTEM user privileges

The vulnerability was reported to Cisco by the security researcher Marcos Accossatto of SecureAuth.

“The update service of Cisco Webex Meetings Desktop App for Windows does not properly validate version numbers of new files,” reads a blog post published by SecureAuth.

“An unprivileged local attacker could exploit this vulnerability by invoking the update service command with a crafted argument and folder. This will allow the attacker to run arbitrary commands with SYSTEM user privileges.”

According to SecureAuth, that flaw is a “bypass to avoid the new controls” implemented by Cisco after addressing a DLL hijacking issue tracked as CVE-2018-15442.

Experts explained that the flaw can be exploited by copying to a local folder controlled by the attacker, the atgpcdec.dll binary and rename it as atgpcdec.7z. Then, the attacker has to compress a previous version of the ptUpdate.exe file as 7z and copy to the same folder. The attacker have to copy in the same folder a malicious dll named vcruntime140.dll and compressed as vcruntime140.7z. Finally, a ptUpdate.xml file must be provided in the controller folder for the update binary (ptUpdate.exe) to manage the above files as a legitimate update. In order to gain privileges, the attacker must start the service with the command line: sc start webexservice WebexService 1 989898 “attacker-controlled-path”

The SecureAuth researchers devised 2 proof of concept (PoC) attacks. The first one targeting the 33.8.X versions of the app to circumvent the signature check feature, and another attack PoC for exploiting all versions of the Cisco Webex Meetings Desktop App for Windows prior to 33.8.X.

Below the timeline for the vulnerability:

• 2018-12-04: SecureAuth sent an initial notification to the Cisco PSIRT including a draft advisory.
• 2018-12-05: Cisco confirmed the reception of the advisory and informed they will open a case.
• 2018-12-07: Cisco replied that they were able to reproduce the vulnerability and they were working on a plan for the fix.
• 2018-12-07: SecureAuth thanked the update.
• 2018-12-10: Cisco notified SecureAuth that the general availability of the fix will be before end of February.
• 2018-12-10: SecureAuth thanked the update.
• 2019-01-15: SecureAuth asked Cisco for an update.
• 2019-01-22: SecureAuth asked Cisco for an update again.
• 2019-01-22: Cisco answered saying they were still targeting the end of February for the release of the fix.
• 2019-02-11: Cisco confirmed 27th February as the disclosure date.
• 2019-02-27: Advisory CORE-2018-0012 published.

Pierluigi Paganini

(SecurityAffairs – Cisco Webex , hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]