This article is more than 1 year old
Cisco's WebEx Chrome plugin will execute evil code, install malware via secret 'magic URL'
Just get rid of it
Updated Malicious websites can remotely execute commands on Windows systems that have Cisco WebEx's Chrome extension installed. About 20 million people actively use this broken software.
All attackers need to know is a “magic URL” hidden within WebEx, Google Project Zero bug hunter Tavis Ormandy revealed on Monday. We think a secret "magic URL" is the nicest possible way of saying "backdoor," be it deliberate or accidental.
Specifically, any URL request – such as a silent request for an invisible iframe on a page – that includes the string cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html
opens up WebEx to remote-control execution. Ormandy clocked he could exploit this via Chrome's native messaging system to execute C library and Windows system calls.
The Googler quickly produced a proof-of-concept webpage that pops open calc.exe on vulnerable machines that have Cisco's dodgy extension installed. This demonstrates that a victim just has to browse a website that targets Cisco's plugin to come under attack and find their computer is infected with malware.
“I noticed that [Cisco] ships a copy of the CRT (Microsoft's C Runtime, containing standard routines like printf, malloc, etc), so I tried calling the standard _wsystem() routine (like system(), but for WCHAR strings), like this,” wrote Ormandy, before throwing in this JavaScript:
var msg = { GpcProductRoot: "WebEx", GpcMovingInSubdir: "Wanta", GpcProductVersion: "T30_MC", GpcUnpackName: "atgpcdec", GpcExtName: "atgpcext", GpcUnpackVersion: "27, 17, 2016, 501", GpcExtVersion: "3015, 0, 2016, 1117", GpcUrlRoot: "http://127.0.0.1/", GpcComponentName: btoa("MSVCR100.DLL"), GpcSuppressInstallation: btoa("True"), GpcFullPage: "True", GpcInitCall: btoa("_wsystem(ExploitShellCommand);"), ExploitShellCommand: btoa("calc.exe"), }
“Unbelievably, that worked,” he added.
There was a secret URL in WebEx that allowed any website to run arbitrary code. ¯\_(ツ)_/¯ https://t.co/sAqZrDN4ad
— Tavis Ormandy (@taviso) January 23, 2017
And PRs wonder why we get uppity when we’re told to install weird extensions during press briefings - PDF + text is fine, thanks. https://t.co/whPRlSXnqX
— The Register (@TheRegister) January 23, 2017
Cisco has rushed out WebEx version 1.0.3 to fix the issue, although crypto developer Filippo Valsorda says the patch is incomplete. Version 1.0.5 was released today to overcome 1.0.3's shortcomings.
Or, given Cisco's devotion to programming standards or lack thereof, just delete and forget about the crappy thing entirely. ®
Updated to add
Make that version 1.0.7: Cisco has pushed out another quick update after Ormandy found another remote-code execution hole in WebEx for Chrome.