[Dailydave] Webex and RCE

Kristian Erik Hermansen kristian.hermansen at gmail.com
Thu Jan 26 20:17:11 EST 2017


Other than this new remote code execution, wasn't it widely known that even
older versions of WebEx would download sub-resource JAR files over
unencrypted HTTP and just run them without verification? As such, remote
code execution for WebEx (on a hostile network) has been going on a long
time and, as with anything, surely there are additional vectors no one has
found yet and others have kept their lips sealed about ;) Yeah, this is why
many have chosen never to run WebEx except within a sandbox. And definitely
NEVER run the mobile app (hint hint)...


On Jan 26, 2017 10:43 AM, "Ryan Duff" <ry at nduff.com> wrote:

It should also be worth noting that Cisco's "fix" for this is to only allow
this behavior from "https://*.webex.com" or "https://*.webex.com.cn".

First off, I really hope those domains aren't at all vulnerable to XSS or
this could still be exploited. But the largest issue here in my eyes is
that their "fix" is to basically say "now, only Cisco can arbitrarily
execute code on your machine". How is this acceptable!?

I know the term "backdoor" gets thrown around way too much these days, but
would anyone care to explain how this ISN'T a backdoor now? It means that
Cisco can execute ANYTHING they want on your machine if you have their
extension installed. That feels like the very definition of a backdoor to
me.... Anyone care to challenge that?

I agree with Dave that confidence in Cisco is almost non-existent at this
point...

-Ryan

On Tue, Jan 24, 2017 at 3:27 PM, dave aitel <dave at immunityinc.com> wrote:

> Trainings tend to be about the past. They are more war stories than
> distilled wisdom. Like when we teach you how to do a client-side and then
> a kernel exploit
> <http://infiltratecon.com/training.html#click-here-for-ring0>, that's
> because that's the attack path that's been most successful for us in the
> past.
>
> But a lot of hacking is less brute force than that - a lot of it is just
> knowing where to look, or gaining expertise in some strange lore than
> nobody else wants to study. For example, there's a talk at INFILTRATE on
> DCOM. DCOM is the devil - a dark mine of legendary horrors. But I know
> there are untold bugs in it. Limitless new bug classes. Actual remote code
> execution.
>
> After enough hacking you get a nose for where to look, in theory. I don't
> know how to quantify this in a way that you can put metrics on it and maybe
> write something for a policy blog. But it's institutionalized, this sense
> of smell. Groups evolve a consensus on targeting.
>
> I'm annoyed because I didn't ask anyone to look at the Webex plugin for
> Chrome and Tavis owned it in fifteen seconds by trusting his nose. Immunity
> is a bit resource constrained, is what I tell myself, because we are the
> kind of computer that is excellent at rationalization. We can't hunt every
> new smell. But how can any company trust Webex again? Isn't Cisco supposed
> to have a team on this sort of thing?
>
> I guess my question is: Between this bug, and the issues on their routers
> from the EQGRP leak, clearly Cisco has no "nose". What does that mean for
> them?
>
> -dave
>
> P.S. Come to our trainings  <http://infiltratecon.com/training.html>this
> April and hear our war stories and learn from our exploit writers. It's
> super fun. :)
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
>

_______________________________________________
Dailydave mailing list
Dailydave at lists.immunityinc.com
https://lists.immunityinc.com/mailman/listinfo/dailydave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20170126/d83a613b/attachment.html>


More information about the Dailydave mailing list