A vulnerability found in the update service of the Cisco Webex Meetings Desktop App for Windows could allow an unprivileged local attacker to elevate privileges and run arbitrary commands using the SYSTEM user privileges.
This vulnerability affects all Cisco Webex Meetings Desktop App releases between 220.127.116.11 and 18.104.22.168, with prior versions probably being affected by this security issue too, but they were not checked.
The vulnerability tracked as CVE-2019-1674 is an OS Command Injection found by the SecureAuth researchers, who describe it as a “bypass to avoid the new controls” put in place by Cisco after patching a previously found a DLL hijacking issue in the same application and tracked as CVE-2018-15442.
The CVE-2019-1674 vulnerability stems from the inability of the Cisco Webex Meetings Desktop App‘s update service to “properly validate version numbers of new files. So, an unprivileged local attacker could exploit this vulnerability by invoking the update service command with a crafted argument and folder.”
Attackers can run arbitrary commands with SYSTEM user privileges
A potential attacker could exploit this software flaw by replacing the Cisco Webex Meetings update binary with a “previous vulnerable version through a fake update (the service uses an XML to check which files can be installed) that will load a malicious DLL,” leading to privilege escalation and allowing the actor to run arbitrary commands with SYSTEM user privileges.
As detailed by the SecureAuth research team:
The vulnerability can be exploited by copying to a local attacker controller folder, the atgpcdec.dll binary and rename it as atgpcdec.7z. Then, a previous version of the ptUpdate.exe file must be compressed as 7z and copied to the controller folder. Also, a malicious dll must be placed in the same folder, named vcruntime140.dll and compressed as vcruntime140.7z. Finally, a ptUpdate.xml file must be provided in the controller folder for the update binary (ptUpdate.exe) to treat our files as a normal update. To gain privileges, the attacker must start the service with the command line: sc start webexservice WebexService 1 989898 “attacker-controlled-path”
The SecureAuth researchers also provide a two-step proof of concept (PoC) attack targeting the 33.8.X versions of the app to circumvent the signature check feature, and a single step attack PoC for exploiting all versions of the Cisco Webex Meetings Desktop App for Windows prior to 33.8.X.
While the CVE-2019-1674 vulnerability can only be exploited locally, “administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remote management tools.”
2018-12-04: SecureAuth sent an initial notification to the Cisco PSIRT including a draft advisory. 2018-12-05: Cisco confirmed the reception of the advisory and informed they will open a case. 2018-12-07: Cisco replied that they were able to reproduce the vulnerability and they were working on a plan for the fix. 2018-12-07: SecureAuth thanked the update. 2018-12-10: Cisco notified SecureAuth that the general availability of the fix will be before end of February. 2018-12-10: SecureAuth thanked the update. 2019-01-15: SecureAuth asked Cisco for an update. 2019-01-22: SecureAuth asked Cisco for an update again. 2019-01-22: Cisco answered saying they were still targeting the end of February for the release of the fix. 2019-02-11: Cisco confirmed 27th February as the disclosure date.
This is not the first time security researchers have found vulnerabilities in Cisco’s WebEx online video collaboration software but the one discovered by Counter Hack’s Ron Bowes and Jeff McJunkin on October 24, 2018, really stands out.
That is because the vulnerability known as WebExec allows users to remotely execute commands through a component of a vulnerable version of the WebEx client even when WebEx does not listen for remote connections.