- Jul 22, 2014
- 2,525
Just get rid of it – bin it now
Malicious websites can remotely execute commands on Windows systems that have Cisco WebEx's Chrome extension installed. About 20 million people actively use this broken software.
All attackers need to know is a “magic URL” hidden within WebEx, Google Project Zero bug hunter Tavis Ormandy revealed on Monday. We think a secret "magic URL" is the nicest possible way of saying "backdoor," be it deliberate or accidental.
Specifically, any URL request – such as a silent request for an invisible iframe on a page – that includes the string cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html opens up WebEx to remote-control execution. Ormandy clocked he could exploit this via Chrome's native messaging system to execute C library and Windows system calls.
The Googler quickly produced a proof-of-concept webpage that pops open calc.exe on vulnerable machines that have Cisco's dodgy extension installed. This demonstrates that a victim just has to browse a website that targets Cisco's plugin to come under attack and find their computer is infected with malware.
“I noticed that [Cisco] ships a copy of the CRT (Microsoft's C Runtime, containing standard routines like printf, malloc, etc), so I tried calling the standard _wsystem() routine (like system(), but for WCHAR strings), like this,” wrote Ormandy, before throwing in this JavaScript:
..more in the link above
Malicious websites can remotely execute commands on Windows systems that have Cisco WebEx's Chrome extension installed. About 20 million people actively use this broken software.
All attackers need to know is a “magic URL” hidden within WebEx, Google Project Zero bug hunter Tavis Ormandy revealed on Monday. We think a secret "magic URL" is the nicest possible way of saying "backdoor," be it deliberate or accidental.
Specifically, any URL request – such as a silent request for an invisible iframe on a page – that includes the string cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html opens up WebEx to remote-control execution. Ormandy clocked he could exploit this via Chrome's native messaging system to execute C library and Windows system calls.
The Googler quickly produced a proof-of-concept webpage that pops open calc.exe on vulnerable machines that have Cisco's dodgy extension installed. This demonstrates that a victim just has to browse a website that targets Cisco's plugin to come under attack and find their computer is infected with malware.
“I noticed that [Cisco] ships a copy of the CRT (Microsoft's C Runtime, containing standard routines like printf, malloc, etc), so I tried calling the standard _wsystem() routine (like system(), but for WCHAR strings), like this,” wrote Ormandy, before throwing in this JavaScript:
..more in the link above
