<div dir="auto"><div>Other than this new remote code execution, wasn't it widely known that even older versions of WebEx would download sub-resource JAR files over unencrypted HTTP and just run them without verification? As such, remote code execution for WebEx (on a hostile network) has been going on a long time and, as with anything, surely there are additional vectors no one has found yet and others have kept their lips sealed about ;) Yeah, this is why many have chosen never to run WebEx except within a sandbox. And definitely NEVER run the mobile app (hint hint)...</div><div dir="auto"><br><div class="gmail_extra" dir="auto"><br><div class="gmail_quote">On Jan 26, 2017 10:43 AM, "Ryan Duff" <<a href="mailto:ry@nduff.com">ry@nduff.com</a>> wrote:<br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><span style="font-size:12.8px">It should also be worth noting that Cisco's "fix" for this is to only allow this behavior from "https://*.</span><a href="http://webex.com/" style="font-size:12.8px" target="_blank">webex.com</a><span style="font-size:12.8px">" or "https://*.</span><a href="http://webex.com.cn/" style="font-size:12.8px" target="_blank">webex.com.cn</a><span style="font-size:12.8px">".</span><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">First off, I really hope those domains aren't at all vulnerable to XSS or this could still be exploited. But the largest issue here in my eyes is that their "fix" is to basically say "now, only Cisco can arbitrarily execute code on your machine". How is this acceptable!?</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">I know the term "backdoor" gets thrown around way too much these days, but would anyone care to explain how this ISN'T a backdoor now? It means that Cisco can execute ANYTHING they want on your machine if you have their extension installed. That feels like the very definition of a backdoor to me.... Anyone care to challenge that?</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">I agree with Dave that confidence in Cisco is almost non-existent at this point...</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">-Ryan</div></div><div class="gmail_extra"><br><div class="gmail_quote"><div class="elided-text">On Tue, Jan 24, 2017 at 3:27 PM, dave aitel <span dir="ltr"><<a href="mailto:dave@immunityinc.com" target="_blank">dave@immunityinc.com</a>></span> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="elided-text">
<div bgcolor="#FFFFFF" text="#000000">
<p>Trainings tend to be about the past. They are more war stories
than distilled wisdom. Like when we teach you how to do a <a href="http://infiltratecon.com/training.html#click-here-for-ring0" target="_blank">client-side
and then a kernel exploit</a>, that's because that's the attack
path that's been most successful for us in the past.</p>
<p>But a lot of hacking is less brute force than that - a lot of it
is just knowing where to look, or gaining expertise in some
strange lore than nobody else wants to study. For example, there's
a talk at INFILTRATE on DCOM. DCOM is the devil - a dark mine of
legendary horrors. But I know there are untold bugs in it.
Limitless new bug classes. Actual remote code execution. <br>
</p>
<p>After enough hacking you get a nose for where to look, in theory.
I don't know how to quantify this in a way that you can put
metrics on it and maybe write something for a policy blog. But
it's institutionalized, this sense of smell. Groups evolve a
consensus on targeting.<br>
</p>
<p>I'm annoyed because I didn't ask anyone to look at the Webex
plugin for Chrome and Tavis owned it in fifteen seconds by
trusting his nose. Immunity is a bit resource constrained, is what
I tell myself, because we are the kind of computer that is
excellent at rationalization. We can't hunt every new smell. But
how can any company trust Webex again? Isn't Cisco supposed to
have a team on this sort of thing? <br>
</p>
<p>I guess my question is: Between this bug, and the issues on their
routers from the EQGRP leak, clearly Cisco has no "nose". What
does that mean for them?</p><span class="m_310463588184084768HOEnZb"><font color="#888888">
<p>-dave</p>
</font></span><p>P.S. Come to our <a href="http://infiltratecon.com/training.html" target="_blank">trainingsĀ </a>this
April and hear our war stories and learn from our exploit writers.
It's super fun. :)<br>
</p>
</div>
<br></div>______________________________<wbr>_________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com" target="_blank">Dailydave@lists.immunityinc.co<wbr>m</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer" target="_blank">https://lists.immunityinc.com/<wbr>mailman/listinfo/dailydave</a><br>
<br></blockquote></div><br></div>
<br>______________________________<wbr>_________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.<wbr>com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer" target="_blank">https://lists.immunityinc.com/<wbr>mailman/listinfo/dailydave</a><br>
<br></blockquote></div><br></div></div></div>