Two Cisco WebEx security vulnerabilities

My friends at Core Security sent me an e-mail warning of a couple vulnerabilities in the popular Cisco WebEx apps. Here’s their message:

Core Security researchers Federico Muttis, Sebastian Tello and Manuel Muradas teamed to discover two separate vulnerabilities, each affecting a separate Cisco WebEx application. First, the research team manipulated a file created by the Cisco WebEx recorder (carrying the .WRF extension) and played by the WebEx player. A portion of the new file’s execution pointed to a user call instruction and allowed a hacker to execute other functions on the machine.

Second, the research team made a slight change to the XML code within a file that governs polling functionality within Cisco WebEx Meeting Center. The resulting code, when published as a poll during a presentation, crashed the machine and ultimately affected other machines connected to the WebEx meeting, causing the other participants’ machines to crash.

“Sometimes innocent actions, such as opening an email attachment that appears to be a recorded WebEx presentation, can leave a computer vulnerable to hackers,” said Alex Horan, senior product manager at Core Security Technologies. “For this reason, Core Security regularly investigates common applications to make sure they do not present new previously unknown vulnerabilities. In this case, a well-known development concern, stack overflow, is at fault. It demonstrates yet again how companies need to be constantly vigilant in testing their systems for new ways data could be compromised.”

Vulnerability Specifics

Users are required to install a special player from WebEx to view archived presentations that are executed in WRF format. This player is vulnerable to a stack-based overflow that an attacker may use to control the machine. The WRF bug was found when a CoreLabs researcher employed a well-known fuzzing method by opening a working file and modifying one byte.

As previously discussed, the vulnerability within the WebEx Meeting Center polling functionality was found through an even simpler method, and both vulnerabilities are related to stack overflow errors possible within each application. A stack overflow occurs when a program requests more memory than it has been allotted.

Remediation Recommendations

Keeping with its responsible disclosure policy, Core Security coordinated with Cisco to address the vulnerabilities and provide solutions for WebEx users prior to making this announcement.

To remediate the WRF WebEx player vulnerability, Core Security recommends uninstalling the older version and installing the latest version, which is available here: http://www.webex.com/downloadplayer.html

No remediation is necessary for the WebEx Meeting Center vulnerability, since Cisco has deployed the fix on their servers and WebEx meeting attendees are no longer exposed to the stack overflow issue.

There you have it.

–Bill Brenner