Cisco Patches Two Stack Overflow Bugs in WebEx Software

Core Security Technologies researchers uncovered two stack overflow bugs in the Cisco WebEx player and the on-demand WebEx Meeting Center service. Cisco says it has fixed both issues.

Researchers at Core Security Technologies issued an advisory warning on Jan. 31 about two stack overflow vulnerabilities in Cisco WebEx applications. These vulnerabilities grant attackers code execution privileges on the machine, according to Core Security.

The stack-based overflow vulnerabilities were found in the WebEx player, used to view archived WebEx presentations, and in WebEx Meeting Center's polling functionality. Core Security alerted Cisco to both security issues on Oct. 4, according to the published security advisory.

Cisco fixed the issue in WebEx Meeting Center in early January, but estimated it may take up to four weeks to "end of January, beginning of February," before all the customers are updated to the same version of the code. The WebEx player bug was fixed with the new version released Feb. 1, Alex Horan, director of product management at Core Security, told eWEEK.

"Sometimes innocent actions, such as opening an e-mail attachment that appears to be a recorded WebEx presentation, can leave a computer vulnerable to hackers," said Horan.

The WebEx player flaw was exploited via a manipulated WRF file, Horan said. The security team changed a .WRF file created by the Cisco WebEx recorder application by modifying one byte of the working file, Horan said. When the manipulated file was played in the WebEx player, it caused a stack overflow, giving attackers operating-system level control of the machine, he said.

"Just because you haven't used a program or have forgotten it is installed doesn't mean it can't come back to haunt you," said Horan.

It was a little difficult to estimate the extent of the problem, since the WebEx player is not as widely installed as Office or Web browsers, according to Horan. Users may have installed the WebEx player at one time to view a recording of a meeting and not have bothered to uninstall it afterward, he said. Even though it would be hard for the attacker to know who has it installed within an organization, "all it takes is someone to send a specially crafted file with the .WRF extension," he said.

When the WRF player attempts to play that malicious file, the exploit code can execute a process outside of the player so that it stays in the computer's memory after the user closes the player, Horan said. At this point, the exploit can perform an action or phone home to the attacker for instructions on what to do next, he said. Core researchers created a proof-of-concept where the exploit escaped the player and opened up the Calculator application, he said. While there were some tricks to do it in a way the antivirus couldn't detect it, it was not considered very difficult to do, he said.

According to Federico Muttis, one of the Core Security researchers who uncovered the bug, the team had a "working proof of concept" in "about 10 minutes." The Core Security team included researchers Sebastian Tello and Manuel Muradas, as well.

WebEx has not had many security problems, and attackers have not generally used it as an attack vector, so antivirus products are not likely to be scanning or checking WRF files, Horan said.

The bug in the WebEx Meeting Center was in the ATP polling functionality, Horan said. The WebEx Meeting Center application allows connected participants to create and respond to polls during the course of a meeting. A malicious user could introduce a modified poll during a WebEx meeting to gain control of the connected machines, he said. The users didn't need to respond to the poll at all, he said.

The exploit used the ATP file in a text editor by putting in an "overly long" string into the XML file, Muttis said. When the modified ATP file was published as a poll, the client crashed immediately. "That alone would have been good enough for a client-side Cisco WebEx Meeting Center exploit," Muttis said. The stack overflow generated with the exploit wasn't limited to just the client that uploaded the file, but any participants connected to the meeting, according to Muttis.

Since WebEx Meeting Center is a software-as-a-service product, the fix was immediately pushed out to customers during their next WebEx meeting, Horan said. WebEx attendees should no longer encounter this particular stack overflow issue, he said.

The WebEx player vulnerability is fixed in the latest version of the software, available online. Since the software doesn't have an auto-update function or the ability to look for the latest update, users will have to manually uninstall and reinstall the latest version to ensure the fix is installed, Horan said.