nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Cisco's WebEx Chrome plugin will execute evil code, install malware via secret 'magic URL'

Just get rid of it

By Richard Chirgwin, 23 Jan 2017

Updated Malicious websites can remotely execute commands on Windows systems that have Cisco WebEx's Chrome extension installed. About 20 million people actively use this broken software.

All attackers need to know is a “magic URL” hidden within WebEx, Google Project Zero bug hunter Tavis Ormandy revealed on Monday. We think a secret "magic URL" is the nicest possible way of saying "backdoor," be it deliberate or accidental.

Specifically, any URL request – such as a silent request for an invisible iframe on a page – that includes the string cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html opens up WebEx to remote-control execution. Ormandy clocked he could exploit this via Chrome's native messaging system to execute C library and Windows system calls.

The Googler quickly produced a proof-of-concept webpage that pops open calc.exe on vulnerable machines that have Cisco's dodgy extension installed. This demonstrates that a victim just has to browse a website that targets Cisco's plugin to come under attack and find their computer is infected with malware.

“I noticed that [Cisco] ships a copy of the CRT (Microsoft's C Runtime, containing standard routines like printf, malloc, etc), so I tried calling the standard _wsystem() routine (like system(), but for WCHAR strings), like this,” wrote Ormandy, before throwing in this JavaScript:

var msg = {
    GpcProductRoot: "WebEx",
    GpcMovingInSubdir: "Wanta",
    GpcProductVersion: "T30_MC",
    GpcUnpackName: "atgpcdec",
    GpcExtName: "atgpcext",
    GpcUnpackVersion: "27, 17, 2016, 501",
    GpcExtVersion: "3015, 0, 2016, 1117",
    GpcUrlRoot: "",
    GpcComponentName: btoa("MSVCR100.DLL"),
    GpcSuppressInstallation: btoa("True"),
    GpcFullPage: "True",
    GpcInitCall: btoa("_wsystem(ExploitShellCommand);"),
    ExploitShellCommand: btoa("calc.exe"),

“Unbelievably, that worked,” he added.

Cisco has rushed out WebEx version 1.0.3 to fix the issue, although crypto developer Filippo Valsorda says the patch is incomplete. Version 1.0.5 was released today to overcome 1.0.3's shortcomings.

Or, given Cisco's devotion to programming standards or lack thereof, just delete and forget about the crappy thing entirely. ®

Updated to add

Make that version 1.0.7: Cisco has pushed out another quick update after Ormandy found another remote-code execution hole in WebEx for Chrome.

The Register - Independent news and views for the tech community. Part of Situation Publishing