cisco issues another patch for webex flaw
Cisco issued another patch for its WebEx Meetings platform after researchers were able to bypass the first fix. The patch addresses a privilege-escalation vulnerability, CVE-2018-15442, in Cisco's Webex Meetings Desktop App for Windows. The bug exists in the update service of the app, which does'tt properly validate user supplied parameters and can enable a local hacker to elevate privileges. Even though the flaw was first patched in October, researchers at SecureAuth discovered a bypass, which can be read here. The researchers found that the initial fix can be bypassed via DLL hijacking where hackers put a file on the system that could be executed when the user runs an application. Researchers did a proof of concept where a binary signed by webex is copied to a local folder which then creates a dell with malicious code. After copying the file, it executes the service control command inside the dll. After reviewing the SecureAuth finding, Cisco released the following statement,"After an additional attack method was reported to Cisco, the previous fix for this vulnerability was determined to be insufficient," the company's advisory said. "A new fix was developed, and the advisory was updated on November 27, 2018, to reflect which software releases include the complete fix."
The crux of the issue is that the update service of the WebEx application didn't validate teh user parameters. What that means is that an unpriviledged local hacker could take advantage of the flaw by invoking the update command with their own custom arguments. That would let the hacker run whatever commands they want with system user privileges. A hacker would need to be local but but doesn't have to be authenticated in the application, no special permissions are needed to initiate an attack. The original patch just consisted in forcing the update service of the application to only run files signed by WebEx. The patch still allowed hackers to run a signed binary capable of loading a malicious DLL. Tesearchers were able to copy the ptUpdate.exe binary to a local controller folder. Researchers then put a file called wbxtrace.dll which the service could not load and put a malicious DLL, created with arbitrary code, into that folder. Since the service couldn't load the dll, the researchers executed teh update service with a signed file that calls the fake dll with malicious code.
Fortunately, the flaw was privately disclosed to Cisco, giving Cisco time to get out a fix before relaseing the bug report to the public. Those running Webex Meetings on their Windows machines should update as soon as possible. While the flaw isn't as severe as a remote code bug that could be exploited without any user interaction, the fact it has now been patched twice and has working proof-of-concept code public should make patching a priority. Cisco's advisory and patch can be found here.