A vulnerability in the update service of the Cisco Webex Meetings Desktop App for Windows tracked as CVE-2019-1674 could be exploited by an unprivileged local attacker to elevate privileges and run arbitrary commands using the SYSTEM user privileges.
“A vulnerability in the update service of Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user.” reads the security advisory published by Cisco.
“The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges.”
The flaw is a Command Injection vulnerability that could be also exploited remotely by leveraging the operating system remote management tools.
The update service of Cisco Webex Meetings Desktop App for Windows fails to validate version numbers of new files.
An attacker could exploit this flaw by replacing the Cisco Webex Meetings update binary with a previous vulnerable version through a tainted update that will load a malicious DLL leading to privilege escalation and allowing hackers to run arbitrary commands with SYSTEM user privileges
The vulnerability was reported to Cisco by the security researcher Marcos Accossatto of SecureAuth.
“The update service of Cisco Webex Meetings Desktop App for Windows does not properly validate version numbers of new files,” reads a blog post published by SecureAuth.
“An unprivileged local attacker could exploit this vulnerability by invoking the update service command with a crafted argument and folder. This will allow the attacker to run arbitrary commands with SYSTEM user privileges.”
According to SecureAuth, that flaw is a “bypass to avoid the new controls” implemented by Cisco after addressing a DLL hijacking issue tracked as CVE-2018-15442.
Experts explained that the flaw can be exploited by copying to a local folder controlled by the attacker, the atgpcdec.dll binary and rename it as atgpcdec.7z. Then, the attacker has to compress a previous version of the ptUpdate.exe file as 7z and copy to the same folder. The attacker
The SecureAuth researchers devised 2 proof of concept (PoC) attacks. The first one targeting the 33.8.X versions of the app to circumvent the signature check feature, and another attack PoC for exploiting all versions of the Cisco Webex Meetings Desktop App for Windows prior to 33.8.X.
Below the timeline for the vulnerability:
(SecurityAffairs – Cisco Webex , hacking)