While remote code execution vulnerabilities are pretty common, a new one discovered in Cisco's WebEx online and video collaboration software is definitely different. That is because users can remotely execute commands through a component of the WebEx client even when WebEx does not listen for remote connections.
Remote code execution vulnerabilities are bugs that allow a users to remotely connect to a vulnerable application and cause commands to be executed on the remote computer. These are critical bugs because they commonly allow commands to run with elevated privileges.
This new remote code execution vulnerability was disclosed yesterday by Ron Bowes and Jeff McJunkin of the hack challenge organization Counter Hack while performing a recent pentest. Their initial goal was to elevate the permissions of a local standard user account, but they instead found a very interesting remote code execution bug that they have titled "WebExec".
While performing the pentest they noticed that Cisco WebEx uses a service called "WebexService" that could be started and stopped by anyone and ran under System privileges.
Even better, the service used the executable WebExService.exe that could be modified by anyone as the Everyone group had full permissions to it.
As the executable could be accessed by anyone, including a standard user, they realized that they could replace the executable with another one of their choice in order to elevate their privileges. While they found the privilege elevation they were looking, this bug had already been discovered by other researchers and Cisco had released a new update for it in September.
The researchers then decided to to take a deeper look at the WebexService.exe to determine what it does. Using debug information, trial-and-error, and reverse engineering, they were able to determine that even though this service is designed to update WebEx, it could also be used to launch other programs.
As the service is running under the System account, any executable launched by it would be launched with the same permissions.
The WebexService service does not automatically start when Windows starts. Instead, it is called as necessary to perform an update of WebEx, or in this case, other programs.
To use the WebexService service the to launch a program, you can simply start the service while passing the command to execute as an argument. For example, to have WebexService.exe start calc.exe, you can use the command:
sc start webexservice a software-update 1 calc c d e f
As the calc.exe program was launched by a service running with System privileges, it too ran with System privileges as shown below.
Now imagine if you are a standard user with no elevated permissions, but want to gain them. You can use this same bug to launch cmd.exe so that it becomes an elevated command prompt with full Administrative privileges.
The command above launches a command prompt with administrative privileges as shown below.
With this elevated command prompt, the standard user now has full control over the PC.
According to the researchers even though they knew about this vulnerability, they had not realized they could use it remotely until a week had passed.
"We actually spent over a week knowing about this vulnerability without realizing that it could be used remotely!"
You may be wondering how you can remotely execute a vulnerability when it does not run waiting for connections? This is because the Windows sc command can be used to start a service on a remote machine with the following command:
c:\>sc \\10.0.0.0 start webexservice a software-update 1 net localgroup administrators testuser /add
To use sc remotely, though, you first need to be authenticated to the remote machine. This could be with a local account or a domain account.
"An account is necessary because you have to get past Windows' own authentication checks," Bowes told BleepingComputer via email. "In order to bind to the service control service (svcctl) on Windows, you need to authenticate as a user first. Otherwise, Windows rejects you. Once you've connected to the service, you can start/stop Windows services remotely, provided you have the access level to control them. In some cases, such as WebExService, they allow anyone to start/stop the service. Most services require an administrator."
As the sc command requires the remote machine to have port 445 open and accessible, this vulnerability is not really useful from the Internet. This is because most ISPs and companies block port 445 on their routers and firewalls.
According to Bowes, this vulnerability is instead more useful for an attacker who gains a foothold on one computer and then uses the vulnerability to execute commands on other machines in the same network.
"This is most useful in a domain environment, because any domain user can run code on any domain machine. All you need is one phished employee!"
This bug has since been fixed by Cisco and new WebEx updates have been released.
"Cisco Webex Productivity Tools fixes this vulnerability in version 33.0.5 and later," stated the WebExec security disclosure. "Cisco Webex Productivity Tools has been replaced with Cisco Webex Meetings Desktop App since Cisco Webex Meetings Release 33.2.0. You can update by launching the Cisco Webex Meetings application and clicking Settings in the top right of the application window then choosing Check for Updates from the drop-down list. This is documented in more detail in the article, Check for Cisco Webex Productivity Tools Updates for Windows."