Cisco has provided updates today for WebEx browser extensions for Chrome and Firefox after Google Project Zero researcher Tavis Ormandy and Divergent Security’s Cris Neckar privately disclosed a vulnerability that could be abused to remotely run code on a computer running the browser extension. Tens of millions of computers have the extension installed.
Ormandy in January found a remote code execution vulnerability in the same extension for Chrome that took advantage of a so-called “magic URL” that an attacker could hide in an iframe that would run arbitrary code.
The bug disclosed today could be exploited by an attacker hosting crafted code online, and enticing users to visit the site.
Multiple Cisco Webex remote code execution vulnerabilities, and working exploit http://bit.ly/2vaRTFJ. Patch ASAP. 🐞
— Tavis Ormandy (@taviso) July 17, 2017
Cisco said the vulnerability also affects browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting, Event, Training and Support centers) and Cisco WebEx Meetings on Windows machines.
“The vulnerability is due to a design defect in the extension. An attacker who can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link with an affected browser could exploit the vulnerability,” Cisco said in its advisory. “If successful, the attacker could execute arbitrary code with the privileges of the affected browser.”
Versions of the WebEx extension for Chrome and Firefox prior to 1.0.12 are affected.
The vulnerability was introduced after the January update, the researchers said. Neckar, a former Chrome Security Team member, informed Ormandy of sanitization issues in the updated code for the atgpcext library, a Windows-based WebEx download module. Ormandy said in a bug report released today that he was able to take advantage of four different issues to write exploits. Those issues including discrepancies in parsing JSON properties, incomplete GpcScript verification Regex, unsafe whitelisted function calls, and the capability to initiate downgrade attacks that allow an attacker to roll back to vulnerable versions if fixes are applied to native components.
Ormandy and Neckar disclosed on July 6, and the issue was made public today. Cisco said it was not aware of public exploits of this vulnerability.
The vulnerability patched in January relied on the use of a URL request that contained the string cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html; attackers could use this in an iframe, leaving users unaware of an active exploit.
“The extension uses nativeMessaging, so this magic string is enough for any website to execute arbitrary code (!!),” Ormandy wrote is a bug report posted in January to the Project Zero site. Within two days, Google had removed the extension from Google Play. Google’s fix, meanwhile, was criticized by researcher Filippo Valsorda of Cloudflare who said Cisco’s approach of flashing a dialogue box warning that code from a third-party site would execute was “weak.”
“Moreover, the webex.com website is still allowed to bypass the popup. If a vulnerability is found on the webex.com website, it can be used to compromise any machine running even the updated version,” he said. Valsorda shared instructions on creating a dedicated WebEx profile he said would mitigate risk from the vulnerability.