SecureAuth today reported on a vulnerability it found in a recent Cisco Webex Meetings update that if left unpatched could lead to a code execution.
The original issue, CVE-2018-15442, affects Webex Meetings desktop app version 18.104.22.168 does not properly validate user-supplied parameters allowing an unprivileged local attacker to exploit this vulnerability by invoking the update service command with a specially crafted argument. The end result being the attacker can run arbitrary commands with system user privileges.
The initial flaw was patched by Cisco, but a SecureAuth researcher found a way to bypass the fix.
“What caught my attention was the fact that the patch for the vulnerability, consisted of forcing the service to only run files that are signed by WebEx. As the blog post states, this is bad news, since there are many signed binaries by WebEx; including the service binary itself,” the researcher said.
“The vulnerability can be exploited by copying to a local attacker controller folder, the ptUpdate.exe binary. Also, a malicious dll must be placed in the same folder, named wbxtrace.dll,” the SecureAuth said in its report.
To actually obtain the system user privilege the attacker must start the program with the command line “sc start webexservice install software-update 1 "attacker-controlled-path.”
SecureAuth notified Cisco of the problem on Nov. 9 and received an immediate reply with Cisco stating it was already working on a fix which has since been released.