Vulnerabilities > CVE-2017-3823 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco products
Summary
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Container before 106 on Mozilla Firefox, the GpcContainer Class ActiveX control plugin before 10031.6.2017.0126 on Internet Explorer, and the Download Manager ActiveX control plugin before 2.1.0.10 on Internet Explorer. A vulnerability in these Cisco WebEx browser extensions could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system. This vulnerability affects the browser extensions for Cisco WebEx Meetings Server and Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center) when they are running on Microsoft Windows. The vulnerability is a design defect in an application programing interface (API) response parser within the extension. An attacker that can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link with an affected browser could exploit the vulnerability. If successful, the attacker could execute arbitrary code with the privileges of the affected browser.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Metasploit
description This module exploits a vulnerability present in the Cisco WebEx Chrome Extension version 1.0.1 which allows an attacker to execute arbitrary commands on a system. id MSF:EXPLOIT/WINDOWS/BROWSER/CISCO_WEBEX_EXT last seen 2020-06-13 modified 2017-07-24 published 2017-01-27 references https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3823 reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/cisco_webex_ext.rb title Cisco WebEx Chrome Extension RCE (CVE-2017-3823) description [About](<https://www.rapid7.com/about> "About Rapid7" ) [For Customers](<https://www.rapid7.com/for-customers> "For Rapid7 Customers" ) [Free Tools](<https://www.rapid7.com/free-tools> "Free Tools from Rapid7" ) [ ![Rapid7](/db/assets/Rapid7_logo-ec0ec3940fca9dddfbcd754380bb2b50.svg) ](<https://www.rapid7.com> "Rapid7" ) * [Home](<https://www.rapid7.com/> "Rapid7.com" ) * Vulnerability & Exploit Database # Vulnerability & Exploit Database id MSF:EXPLOIT/WINDOWS/MISC/CISCO_WEBEX_EXT last seen 2017-01-28 modified 1970-01-01 published 2017-01-26 references http://cvedetails.com/cve/cve-2017-3823 reliability Great reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/cisco_webex_ext.rb title CVE-2017-3823 Cisco WebEx Chrome Extension RCE (CVE-2017-3823)
Nessus
NASL family Windows NASL id CISCO_WEBEX_EXTENSION_RCE.NASL description The Cisco WebEx Extension for Chrome installed on the remote host is affected by a remote code execution vulnerability due to a crafted pattern that permits any URL utilizing it to automatically use native messaging to access sensitive functionality provided by the extension. An unauthenticated, remote attacker can exploit this vulnerability to execute arbitrary code by convincing a user to visit a web page that contains this pattern and starting a WebEx session. last seen 2020-06-01 modified 2020-06-02 plugin id 96772 published 2017-01-25 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96772 title Cisco WebEx Extension for Chrome RCE (cisco-sa-20170124-webex) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(96772); script_version("1.9"); script_cvs_date("Date: 2018/07/06 11:26:08"); script_cve_id("CVE-2017-3823"); script_bugtraq_id(95737); script_xref(name:"CISCO-SA", value:"cisco-sa-20170124-webex"); script_xref(name:"CISCO-BUG-ID", value:"CSCvc86959"); script_xref(name:"CISCO-BUG-ID", value:"CSCvc88194"); script_xref(name:"CISCO-BUG-ID", value:"CSCvc88535"); script_xref(name:"CERT", value:"909240"); script_name(english:"Cisco WebEx Extension for Chrome RCE (cisco-sa-20170124-webex)"); script_summary(english:"Checks the extension version."); script_set_attribute(attribute:"synopsis", value: "A browser extension installed on the remote host is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The Cisco WebEx Extension for Chrome installed on the remote host is affected by a remote code execution vulnerability due to a crafted pattern that permits any URL utilizing it to automatically use native messaging to access sensitive functionality provided by the extension. An unauthenticated, remote attacker can exploit this vulnerability to execute arbitrary code by convincing a user to visit a web page that contains this pattern and starting a WebEx session."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170124-webex script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?068aee48"); script_set_attribute(attribute:"see_also", value:"https://bugs.chromium.org/p/project-zero/issues/detail?id=1096"); script_set_attribute(attribute:"see_also", value:"https://bugs.chromium.org/p/project-zero/issues/detail?id=1100"); script_set_attribute(attribute:"solution", value: "Upgrade to Cisco WebEx Extension version 1.0.7 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Cisco WebEx Chrome Extension RCE (CVE-2017-3823)'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/23"); script_set_attribute(attribute:"patch_publication_date", value:"2017/01/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/25"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:google:chrome"); script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:webex"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"in_the_news", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc."); script_dependencies("win_chrome_browser_addons.nbin"); script_require_keys("SMB/Google_Chrome/Installed", "SMB/WindowsVersion"); script_require_ports(139, 445); exit(0); } include("audit.inc"); include("datetime.inc"); include("misc_func.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_reg_query.inc"); include("smb_hotfixes_fcheck.inc"); include("browser.inc"); include("json.inc"); addons = get_browser_addons(browser:"Chrome", type:"all", name:"Cisco WebEx Extension", exit_on_fail:TRUE); ext_report = ""; report = ""; ver = NULL; vuln = 0; users = make_array(); hotfix_check_fversion_init(); foreach addon(addons["addons"]) { if(users[addon['user']]) continue; # Try to get active version from preferences path = eregmatch(pattern:"(.*)Extensions.*", string:addon['path']); path = path[1] + "Secure Preferences"; prefs = hotfix_get_file_contents(path:path); if(prefs['error'] == 0) { prefs = json_read(prefs['data']); ver = prefs[0]["extensions"]["settings"]["jlhmfgmfgeifomenelglieieghnjghma"]["manifest"]["version"]; users[addon['user']] = TRUE; } if(empty_or_null(ver)) { if (report_paranoia < 2) { hotfix_check_fversion_end(); audit(AUDIT_PARANOID); } ver = chomp(addon['version']); } if(ver_compare(ver:ver, fix:"1.0.7", strict:FALSE) < 0) { vuln += 1; ext_report += '\n' + '\n User : ' + addon['user'] + '\n Version : ' + addon['version'] + '\n Update date : ' + addon['update_date'] + '\n Path : ' + addon['path'] + '\n'; } } hotfix_check_fversion_end(); if(vuln) { port = get_kb_item('SMB/transport'); if (!port) port = 445; if(vuln > 1) user = "users have"; else user = "user has"; report += '\n' + "The following " + user + " a vulnerable version of the Cisco WebEx Extension for Chrome installed:" + ext_report + '\n' + "Fix: Upgrade to version 1.0.7 or later." + '\n'; security_report_v4(severity:SECURITY_HOLE, port:port, extra:report); } else audit(AUDIT_INST_VER_NOT_VULN, "Cisco WebEx Extension for Chrome");
NASL family Windows NASL id CISCO_WEBEX_EXTENSION_RCE_IE.NASL description The Cisco WebEx Extension for Internet Explorer installed on the remote host is affected by a remote code execution vulnerability due to a crafted pattern that permits any URL utilizing it to automatically use native messaging to access sensitive functionality provided by the extension. An unauthenticated, remote attacker can exploit this vulnerability to execute arbitrary code by convincing a user to visit a web page that contains this pattern and starting a WebEx session. last seen 2020-06-01 modified 2020-06-02 plugin id 96908 published 2017-01-31 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96908 title Cisco WebEx for Internet Explorer RCE (cisco-sa-20170124-webex) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(96908); script_version("1.8"); script_cvs_date("Date: 2018/07/06 11:26:08"); script_cve_id("CVE-2017-3823"); script_bugtraq_id(95737); script_xref(name:"CISCO-SA", value:"cisco-sa-20170124-webex"); script_xref(name:"CISCO-BUG-ID", value:"CSCvc86959"); script_xref(name:"CISCO-BUG-ID", value:"CSCvc88194"); script_xref(name:"CISCO-BUG-ID", value:"CSCvc88535"); script_xref(name:"CERT", value:"909240"); script_name(english:"Cisco WebEx for Internet Explorer RCE (cisco-sa-20170124-webex)"); script_summary(english:"Checks the extension version."); script_set_attribute(attribute:"synopsis", value: "A browser extension installed on the remote host is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The Cisco WebEx Extension for Internet Explorer installed on the remote host is affected by a remote code execution vulnerability due to a crafted pattern that permits any URL utilizing it to automatically use native messaging to access sensitive functionality provided by the extension. An unauthenticated, remote attacker can exploit this vulnerability to execute arbitrary code by convincing a user to visit a web page that contains this pattern and starting a WebEx session."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170124-webex script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?068aee48"); script_set_attribute(attribute:"see_also", value:"https://bugs.chromium.org/p/project-zero/issues/detail?id=1096"); script_set_attribute(attribute:"see_also", value:"https://bugs.chromium.org/p/project-zero/issues/detail?id=1100"); script_set_attribute(attribute:"solution", value: "Upgrade to Cisco WebEx Extension version 2.1.0.10 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Cisco WebEx Chrome Extension RCE (CVE-2017-3823)'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/23"); script_set_attribute(attribute:"patch_publication_date", value:"2017/01/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/31"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:ie"); script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:webex"); script_set_attribute(attribute:"in_the_news", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl"); script_require_keys("SMB/Registry/Enumerated"); script_require_ports(139, 445); exit(0); } include("audit.inc"); include("misc_func.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_reg_query.inc"); include("smb_hotfixes_fcheck.inc"); include("global_settings.inc"); report = ""; ver = NULL; fix = "2.1.0.10"; registry_init(); hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE); key = "SOFTWARE\ActiveTouch\Deinstall\NS_Unknown\WebEx\T30_MC\ieatgpc.dll"; path = get_registry_value(handle:hklm, item:key); RegCloseKey(handle:hklm); close_registry(close:TRUE); hotfix_check_fversion_init(); if(!empty_or_null(path)) { ver = hotfix_get_fversion(path:path); } else { path = hotfix_get_systemroot(); path = path + "\Downloaded Program Files\ieatgpc.dll"; ver = hotfix_get_fversion(path:path); } hotfix_check_fversion_end(); error = hotfix_handle_error(error_code:ver['error'], file:path, exit_on_fail:TRUE); ver = ver['value']; ver = split(ver, sep:",", keep:false); ver = join(ver, sep:"."); if(ver_compare(ver:ver, fix:fix, strict:FALSE) < 0) { port = kb_smb_transport(); if (!port) port = 445; report += '\n' + 'One or more users have a vulnerable version of the Cisco WebEx Extension for Internet Explorer installed: ' + '\n' + '\n Installed version : ' + ver + '\n Fixed Version : ' + fix + '\n Path : ' + path + '\n'; security_report_v4(severity:SECURITY_HOLE, port:port, extra:report); } else audit(AUDIT_INST_VER_NOT_VULN, "Cisco WebEx Extension for Internet Explorer");
NASL family Windows NASL id CISCO_WEBEX_EXTENSION_RCE_FIREFOX.NASL description The Cisco WebEx Extension for Firefox installed on the remote host is affected by a remote code execution vulnerability due to a crafted pattern that permits any URL utilizing it to automatically use native messaging to access sensitive functionality provided by the extension. An unauthenticated, remote attacker can exploit this vulnerability to execute arbitrary code by convincing a user to visit a web page that contains this pattern and starting a WebEx session. last seen 2020-06-01 modified 2020-06-02 plugin id 96907 published 2017-01-31 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96907 title Cisco WebEx for Firefox RCE (cisco-sa-20170124-webex)
Packetstorm
data source | https://packetstormsecurity.com/files/download/140870/cisco_webex_ext.rb.txt |
id | PACKETSTORM:140870 |
last seen | 2017-02-01 |
published | 2017-02-01 |
reporter | Tavis Ormandy |
source | https://packetstormsecurity.com/files/140870/Cisco-WebEx-Chrome-Extension-Remote-Command-Execution.html |
title | Cisco WebEx Chrome Extension Remote Command Execution |
Saint
bid | 95737 |
description | WebEx browser extension command execution |
title | webex_browser_extension |
type | client |
References
- http://www.securityfocus.com/bid/95737
- http://www.securityfocus.com/bid/95737
- http://www.securitytracker.com/id/1037680
- http://www.securitytracker.com/id/1037680
- https://0patch.blogspot.com/2017/01/micropatching-remote-code-execution-in.html
- https://0patch.blogspot.com/2017/01/micropatching-remote-code-execution-in.html
- https://blog.filippo.io/webex-extension-vulnerability/
- https://blog.filippo.io/webex-extension-vulnerability/
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1096
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1096
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1100
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1100
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170124-webex
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170124-webex
- https://www.kb.cert.org/vuls/id/909240
- https://www.kb.cert.org/vuls/id/909240