Core Security researchers Federico Muttis, Sebastian Tello and Manuel Muradas teamed to discover two separate vulnerabilities, each affecting a separate Cisco WebEx application. First, the research team manipulated a file created by the Cisco WebEx recorder (carrying the .WRF extension) and played by the WebEx player. A portion of the new file’s execution pointed to a user call instruction and allowed a hacker to execute other functions on the machine.
Second, the research team made a slight change to the XML code within a file that governs polling functionality within Cisco WebEx Meeting Center. The resulting code, when published as a poll during a presentation, crashed the machine and ultimately affected other machines connected to the WebEx meeting, causing the other participants’ machines to crash.
“Sometimes innocent actions, such as opening an email attachment that appears to be a recorded WebEx presentation, can leave a computer vulnerable to hackers,” said Alex Horan, senior product manager at Core Security Technologies. “For this reason, Core Security regularly investigates common applications to make sure they do not present new previously unknown vulnerabilities. In this case, a well-known development concern, stack overflow, is at fault. It demonstrates yet again how companies need to be constantly vigilant in testing their systems for new ways data could be compromised.”
Users are required to install a special player from WebEx to view archived presentations that are executed in WRF format. This player is vulnerable to a stack-based overflow that an attacker may use to control the machine. The WRF bug was found when a CoreLabs researcher employed a well-known fuzzing method by opening a working file and modifying one byte.
As previously discussed, the vulnerability within the WebEx Meeting Center polling functionality was found through an even simpler method, and both vulnerabilities are related to stack overflow errors possible within each application. A stack overflow occurs when a program requests more memory than it has been allotted.
Keeping with its responsible disclosure policy, Core Security coordinated with Cisco to address the vulnerabilities and provide solutions for WebEx users prior to making this announcement.
To remediate the WRF WebEx player vulnerability, Core Security recommends uninstalling the older version and installing the latest version, which is available here: http://www.webex.com/downloadplayer.html
No remediation is necessary for the WebEx Meeting Center vulnerability, since Cisco has deployed the fix on their servers and WebEx meeting attendees are no longer exposed to the stack overflow issue.
CORE IMPACT Pro customers can also easily determine potential risks to their organization’s systems using the solution. More than 1,000 organizations that use CORE IMPACT Pro can identify if these vulnerabilities expose their systems by immediately running the WebEx exploit module in CORE IMPACT Pro. To watch Core Security’s Alex Horan demonstrate a test against the discovered weaknesses using Core Security’s CORE IMPACT Pro penetration testing solution, read his blog post here: http://blog.coresecurity.com/2011/01/31/a-tale-of-webex-vulnerabilities-and-forgotten-valentines-cards
For more information on this vulnerability and the systems affected, please visit: http://www.coresecurity.com/content/webex-atp-and-wrf-overflow-vulnerabilities
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. Research is conducted in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing and cryptography. Results from these efforts include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs
About Core Security Technologies
Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and prove real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security’s software solutions build on over a decade of trusted research and leading-edge threat expertise from the company’s Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
Contacts: Lesley Sullivan Schwartz Communications 781-684-0770 [email protected]