Webex Vulnerability Can Enable Remote Code Execution

Cisco Systems patched a serious privilege escalation vulnerability in the Webex Meetings Desktop App and the Webex Productivity Tools that could be exploited remotely on local networks.

The flaw has been dubbed WebExec and was found during a penetration testing engagement by Ron Bowes and Jeff McJunkin of Counter Hack. It’s located in the WebExService that is installed on Windows machines by the Webex client apps.

WebExService runs with SYSTEM-level privileges, but can be started by any user with an account on the machine. Furthermore, the service can receive commands from other processes through an API, including an update command with a supplied file.

Poor access control validation allows attackers with access to an unprivileged user to start WebExService and force it to execute a malicious file with SYSTEM privileges. In essence, this is a privilege escalation vulnerability that can be exploited by malware to take full control over a system.

Typically, privilege escalation flaws can only be exploited locally, if an attacker has control over an authenticated user. However, in Active Directory deployments, this Webex vulnerability, tracked as CVE-2018-15442, can also be exploited remotely by leveraging the operating system remote management tools, Cisco said in its advisory.

“Any local or domain user can start the process over Windows’ remote service interface (except on Windows 10, which requires an administrator login),” the researchers said on a FAQ page dedicated to the vulnerability.

This makes the flaw highly valuable for attackers because it can be used for lateral movement inside Active Directory networks once any domain user credentials are obtained from a compromised system.

“As far as we know, a remote attack against a 3rd party Windows service is a novel type of attack,” Ron Bowes said in a technical writeup. “We’re calling the class ‘thank you for your service,’ because we can, and are crossing our fingers that more are out there!”

Cisco patched the issue in Webex Meetings Desktop App Release 33.6.0 and Webex Productivity Tools Release 33.0.5. The fix only allows for files that are digitally signed by Webex to be executed through the WebExService, but this does not completely mitigate the risks.

“The good news is, the patched version of this service will only run files that are signed by WebEx,” Bowes said. “The bad news is, there are a lot of those out there (including the vulnerable version of the service!), and the service can still be started remotely.”

Bowes and McJunkin came up with a command that administrators can use to restrict starting the WebExService only to local users or administrators. This mitigates the remote attack vector through all other domain accounts.

Administrators should update the Webex apps as soon as possible, because a module for the Metasploit penetration testing framework has been created for the vulnerability. This makes it very easy for attackers to incorporate the exploit into their malicious campaigns.

Android Malware Turns Phones Into Proxies

A new piece of malware distributed via malicious links in text messages allows attackers to transform users’ phones into proxies, potentially providing gateways into corporate and home networks.

The malware program is called TimpDoor and, according to researchers from antivirus maker McAfee, it has been distributed in North America via text messages that pose as voice mail notifications.

The researchers found 26 malicious APKs (Android Application Packages) that masquerade as a voice-message app and have been distributed since March. They estimate that more than 5,000 devices have been infected to date.

“If the fake application is installed, a background service starts a Socks proxy that redirects all network traffic from a third-party server via an encrypted connection through a secure shell tunnel—allowing potential access to internal networks and bypassing network security mechanisms such as firewalls and network monitors,” the researchers warn in a blog post.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin