Core Security Technologies researchers uncovered two stack overflow bugs in the Cisco WebEx player and the on-demand WebEx Meeting Center service. Cisco says it has fixed both issues.
Researchers at Core Security Technologies issued an advisory warning on Jan.
31 about two stack overflow vulnerabilities in Cisco WebEx applications. These
vulnerabilities grant attackers code execution privileges on the machine,
according to Core Security.
The stack-based
overflow vulnerabilities were found in the WebEx player, used to view
archived WebEx presentations, and in WebEx
Meeting Center's
polling functionality. Core Security alerted Cisco to both security issues on
Oct. 4, according to the published
security advisory.
Cisco fixed the issue in WebEx Meeting Center in early January, but
estimated it may take up to four weeks to "end of January, beginning of
February," before all the customers are updated to the same version of the
code. The WebEx player bug was fixed with the new version released Feb. 1, Alex
Horan, director of product management at Core Security, told eWEEK.
"Sometimes innocent actions, such as opening an e-mail attachment that
appears to be a recorded WebEx presentation, can leave a computer vulnerable to
hackers," said Horan.
The WebEx player flaw was exploited via a manipulated WRF file, Horan said.
The security team changed a .WRF file created by the Cisco WebEx recorder
application by modifying one byte of the working file, Horan said. When the
manipulated file was played in the WebEx player, it caused a stack overflow,
giving attackers operating-system level control of the machine, he said.
"Just because you haven't used a program or have forgotten it is
installed doesn't mean it can't come back to haunt you," said Horan.
It was a little difficult to estimate the extent of the problem, since the
WebEx player is not as widely installed as Office or Web browsers, according to
Horan. Users may have installed the WebEx player at one time to view a
recording of a meeting and not have bothered to uninstall it afterward, he
said. Even though it would be hard for the attacker to know who has it
installed within an organization, "all it takes is someone to send a
specially crafted file with the .WRF extension," he said.
When the WRF player attempts to play that malicious file, the exploit code
can execute a process outside of the player so that it stays in the computer's
memory after the user closes the player, Horan said. At this point, the exploit
can perform an action or phone home to the attacker for instructions on what to
do next, he said. Core researchers created a proof-of-concept where the exploit
escaped the player and opened up the Calculator application, he said. While
there were some tricks to do it in a way the antivirus couldn't detect it, it
was not considered very difficult to do, he said.
According to Federico Muttis, one of the Core Security researchers who
uncovered the bug, the team had a "working proof of concept" in "about
10 minutes." The Core Security team included researchers Sebastian Tello
and Manuel Muradas, as well.
WebEx has not had many security
problems, and attackers have not generally used it as an attack vector, so
antivirus products are not likely to be scanning or checking WRF files, Horan
said.
The bug in the WebEx Meeting
Center was in the ATP polling
functionality, Horan said. The WebEx Meeting
Center application allows connected
participants to create and respond to polls during the course of a meeting. A
malicious user could introduce a modified poll during a WebEx meeting to gain
control of the connected machines, he said. The users didn't need to respond to
the poll at all, he said.
The exploit used the ATP file in a text editor by putting in an "overly
long" string into the XML file, Muttis said. When the modified ATP file
was published as a poll, the client crashed immediately. "That alone would
have been good enough for a client-side Cisco
WebEx Meeting Center
exploit," Muttis said. The stack overflow generated with the exploit wasn't
limited to just the client that uploaded the file, but any participants
connected to the meeting, according to Muttis.
Since WebEx Meeting
Center is a software-as-a-service
product, the fix was immediately pushed out to customers during their next
WebEx meeting, Horan said. WebEx attendees should no longer encounter this
particular stack overflow issue, he said.
The WebEx player vulnerability is fixed in the latest version of the
software, available online. Since the software doesn't have an auto-update
function or the ability to look for the latest update, users will have to
manually uninstall and reinstall the latest version to ensure the fix is installed,
Horan said.
Email
Print
