Cisco has re-issued a patch for a high-severity vulnerability in its WebEx Meetings platform, after researchers were able to bypass the first fix.
The patch addresses a privilege-escalation vulnerability, CVE-2018-15442, in Cisco’s Webex Meetings Desktop App for Windows. The glitch exists in the update service of the app, which does not properly validate user-supplied parameters and thus could allow a local attacker to elevate privileges.
While the flaw was first patched in October, researchers at SecureAuth deemed the fix to be insufficient after they discovered a bypass, which they detailed in a Tuesday post. The initial fix can be bypassed via DLL hijacking, which is an attack where hackers put a file on the system (via social engineering or other methods) that could then be executed when the user runs an application.
“This proof-of-concept copies a binary signed by WebEx to a local attacker controller folder, then creates a DLL with our malicious code, and finally executes the service control command that will run the code inside the DLL,” researchers told Threatpost.
Cisco acknowledged the bypass in an advisory re-issuing the patch.
“After an additional attack method was reported to Cisco, the previous fix for this vulnerability was determined to be insufficient,” the company’s advisory said. “A new fix was developed, and the advisory was updated on November 27, 2018, to reflect which software releases include the complete fix.”
The Original Flaw
At the center of the issue is the fact that the update service of the WebEx application did not properly validate user-supplied parameters. That means an unprivileged local attacker could exploit the flaw by invoking the update service command with a crafted argument. This will allow the attacker to run arbitrary commands with system user privileges.
In order to execute the attack, a bad actor would need to be local but doesn’t need to be authenticated in the application, researchers told us. No special permissions are needed to exploit the flaw.
The vulnerability has a CVSS score of 7.8, ranking it as “high” severity. Researchers have not yet found any related exploits in the wild.
While the flaw was originally patched in October, Marcos Accossatto from SecureAuth Exploits’ Writers Team found an issue with the fix while gathering information about the patch for the original vulnerability.
Issues with the Patch
Researchers told Threatpost that the patch just consisted in forcing the update service of the application to only run files signed by WebEx.
However, the patch still allows hackers to run a signed binary capable of loading a malicious DLL (where arbitrary code could be loaded).
During their PoC, researchers copied the ptUpdate.exe binary to a local attacker controller folder. Researchers then found a file that the service could not load (the file was called wbxtrace.dll) and put a malicious DLL, created with arbitrary code, into that folder.
Because the service could not load this DLL, “the PoC executes the update service with a signed file that calls a manipulated DLL with our code,” said researchers.
Accossatto notified Cisco of the issue Nov. 9, and Cisco updated its advisory on Nov. 27.
Cisco Webex Meetings Desktop App releases prior to 33.6.4 and Cisco Webex Productivity Tools releases 32.6.0 and later prior to 33.0.6 are vulnerable. This vulnerability is fixed in Cisco Webex Meetings Desktop App Release 33.6.4 and later releases.