WebEx plugin for Chrome: two serious vulnerabilities in a few days
My advice? Check often for updates!
On January, 21 the security researcher Tavis Ormandy from Google Project Zero has disclosed a vulnerability the Webex Chrome extension that allows remote execution of commands on any computer with the extension installed (about 20 million users!).
Ormandy has published a proof-of-concept that launchs the calculator app through remote code execution simply by passing a standard C system call and a “magic URL”.
The “magic URL” is a iframe in a web page that includes the string “cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056–32dc7efc570b.html”:
The extension works on any URL that contains the magic pattern "cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html", which can be extracted from the extensions manifest. Note that the pattern can occur in an iframe, so there is not necessarily any user-visible indication of what is happening, visiting any website would be enough.
The extension uses nativeMessaging, so this magic string is enough for any website to execute arbitrary code
Cisco has responded to the disclosure and released a patch within two days.
But, a few days later Tavis finds another vulnerability:
In version 1.0.5 of the WebEx extension, Cisco added a GpcComponentName whitelist to prevent exploitation via XSS, preventing issue 1096.
This can be defeated by putting a module signed by Cisco under GpcUrlRoot, and tricking the installation routine to overwrite one of the whitelisted modules with it. As I already have a copy of MSVCRT.DLL signed by Cisco, I used this one in my exploit.
This requires an XSS on *.webex.com, but they're unfortunately not difficult to find.
Here is a working example:
And, in record time, Cisco releases an additional patch to fix the new vulnerability:
It looks like Cisco have released version 1.0.7, which adds a whitelist for the GpcExtName and GpcUnpackName properties that I was using in my exploit.
It looks like they correctly handle Mac and Windows, and have also added some verification on GpcInitCall/GpcExitCall/etc so that functions have to match a RegEx. This looks like a huge improvement.
Another very quick response from Cisco, I continue to be impressed with Cisco’s response time.