Security

Cisco WebEx Meetings affected by a new elevation of privilege flaw

A vulnerability in the update service of the Cisco Webex Meetings Desktop App for Windows could allow elevation of privilege

A vulnerability in the update service of the Cisco Webex Meetings Desktop App for Windows tracked as CVE-2019-1674 could be exploited by an unprivileged local attacker to elevate privileges and run arbitrary commands using the SYSTEM user privileges.

“A vulnerability in the update service of Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user.” reads the security advisory published by Cisco.

“The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges.”

The flaw is a Command Injection vulnerability that could be also exploited remotely by leveraging the operating system remote management tools.

The update service of Cisco Webex Meetings Desktop App for Windows fails to validate version numbers of new files.
An attacker could exploit this flaw by replacing the Cisco Webex Meetings update binary with a previous vulnerable version through a tainted update that will load a malicious DLL leading to privilege escalation and allowing hackers to run arbitrary commands with SYSTEM user privileges

The vulnerability was reported to Cisco by the security researcher Marcos Accossatto of SecureAuth.

“The update service of Cisco Webex Meetings Desktop App for Windows does not properly validate version numbers of new files,” reads a blog post published by SecureAuth.

“An unprivileged local attacker could exploit this vulnerability by invoking the update service command with a crafted argument and folder. This will allow the attacker to run arbitrary commands with SYSTEM user privileges.”

According to SecureAuth, that flaw is a “bypass to avoid the new controls” implemented by Cisco after addressing a DLL hijacking issue tracked as CVE-2018-15442.

Experts explained that the flaw can be exploited by copying to a local folder controlled by the attacker, the atgpcdec.dll binary and rename it as atgpcdec.7z. Then, the attacker has to compress a previous version of the ptUpdate.exe file as 7z and copy to the same folder. The attacker have to copy in the same folder a malicious dll named vcruntime140.dll and compressed as vcruntime140.7z. Finally, a ptUpdate.xml file must be provided in the controller folder for the update binary (ptUpdate.exe) to manage the above files as a legitimate update. In order to gain privileges, the attacker must start the service with the command line: sc start webexservice WebexService 1 989898 “attacker-controlled-path”

The SecureAuth researchers devised 2 proof of concept (PoC) attacks. The first one targeting the 33.8.X versions of the app to circumvent the signature check feature, and another attack PoC for exploiting all versions of the Cisco Webex Meetings Desktop App for Windows prior to 33.8.X.

Below the timeline for the vulnerability:

  • 2018-12-04: SecureAuth sent an initial notification to the Cisco PSIRT including a draft advisory.
  • 2018-12-05: Cisco confirmed the reception of the advisory and informed they will open a case.
  • 2018-12-07: Cisco replied that they were able to reproduce the vulnerability and they were working on a plan for the fix.
  • 2018-12-07: SecureAuth thanked the update.
  • 2018-12-10: Cisco notified SecureAuth that the general availability of the fix will be before end of February.
  • 2018-12-10: SecureAuth thanked the update.
  • 2019-01-15: SecureAuth asked Cisco for an update.
  • 2019-01-22: SecureAuth asked Cisco for an update again.
  • 2019-01-22: Cisco answered saying they were still targeting the end of February for the release of the fix.
  • 2019-02-11: Cisco confirmed 27th February as the disclosure date.
  • 2019-02-27: Advisory CORE-2018-0012 published.
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Cisco Webex , hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

4 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

15 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

20 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.