Due to the global pandemic of COVID-19, there’s been an explosion of video conferencing and messaging software usage to help people transition their work-life to a work from home environment. Vulnerabilities in this type of software now present an even greater risk to its users. Cisco WebEx is one of the most popular video conferencing solutions available, so I decided to turn my research skills to see how secure the platform is. While I did find a relatively severe memory information leakage vulnerability, we worked with Cisco through our responsible disclosure program to get this vulnerability patched.
The following applies to Cisco Webex Meetings client on Windows, version 40.4.12.8:
Once the application is installed, it adds a tray app that is started once a user logs on and has some dependent processes launched as well at that time. If a user has configured the client to log in automatically (default case), the following applies.
The client has several memory-mapped files (sections in Windows terms) open and some are not protected from opening for reading/writing by any other Windows user. Specifically, there is a section called:
\Sessions\\BaseNamedObjects\WBXTRA_TRACE_FILE_EX
Based on the file name, it appears to hold some trace information. Malicious users can open and dump the contents of this file if they can logon to the machine. Simply put, another user can loop over sessions and try to open, read, and save interesting content for future inspection.
I found that the file always contains the following sensitive information:
When a user starts a meeting, the trace file will also contain a WebExAccessToken
which allows anyone to impersonate the user and get access to the WebEx account.
A POC program provided in the advisory opens the memory mapped file for reading and dumps its contents to disk. Once the victim starts a meeting, the dump will contain something like this:
All the attacker needs to do now is to grab the Bearer token from the dump file and use it in the following HTTP POST request:
curl -d @get_token.xml -O https://homeabc.my.webex.com/WBXService/XMLService
Contents of get_token.xml
file:
<?xml version="1.0"?>
<serv:message xmlns:serv="http://www.webex.com/schemas/2002/06/service"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<header>
<securityContext>
<webExID>user@host.name</webExID>
<partnerID>PT</partnerID>
<siteName>home-abc.my</siteName>
<clientInfo>CiscoWebexMeetings-Win/40.6.2</clientInfo>
<webExAccessToken>
eyJhbGci...
</webExAccessToken>
</securityContext>
</header>
<body>
<bodyContent xsi:type="java:com.webex.service.binding.user.GetLoginTicket"></bodyContent>
</body>
</serv:message>
In response a one-time login ticket will arrive:
The next step is to open the following URL in a browser to get control of the victim’s account:
https://home-abc.my.webex.com//home-abc.my/mywebex/tool/frame/mywebexframe.php?MWAT=mw&strUserName=user%40host.name&TK=b30866fa388c26cf5efda0cd6dfee20b8a60163123bddcbfafb46c54700f2448&UTF8=1&SubMenu=PTPMR
The token in red comes from the above SOAP request that uses WebAccessToken
from the dump.
Voilà:
Using the leaked information, I was able to access my own account from another machine with a different IP address. It allowed me to see all meetings along with invited parties and meeting password (if set), download past meeting recordings, and so on. Here's the entire attack:
In an attack scenario, any malicious local user or malicious process running on a computer where WebEx Client for Windows is installed can monitor the memory mapped file for a login token. Once found the token, like any leaked credentials, can be transmitted somewhere so that it can be used to login to the WebEx account in question, download Recordings, view/edit Meetings, etc.
Users of Cisco WebEx for Windows are recommended to upgrade to version 40.6.0 or the most current version as soon as possible.
Trustwave Advisory: TWSL2020-003:
Cisco Advisory for CVE-2020-3347: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-client-NBmqM9vt