Public Vulnerability Reports

Cisco WebEx Meeting Manager ActiveX Stack Buffer Overflow Vulnerability

14.08.08

BACKGROUND

For more information, see the vendor's site found at the following link.

DESCRIPTION

Remote exploitation of a stack-based buffer overflow vulnerability in Cisco Systems, Inc.'s WebEx Meeting Manager Web meeting and collaboration software could allow an attacker to execute arbitrary code with the privileges of the logged-on user.

WebEx provides Web-based video conferencing and online meetings. WebEx Meeting Manager will be automatically downloaded and installed when a user joins a WebEx meeting the first time. For more information, please visit following website:

http://www.webex.com

When WebEx's Meeting Manager is installed, the following vulnerable ActiveX control is registered on the system:

ClassID: 32E26FD9-F435-4A20-A561-35D4B987CFDC

ProgID: WebexUCFObject.WebexUCFObject.1

File: atucfobj.dll

The vulnerability exists in the NewObject() method of this ActiveX control. It copies user-supplied data into a fixed-size stack buffer using the sprintf() function. Since no input validation is performed, it is possible to corrupt stack memory, resulting in an exploitable condition.

ANALYSIS

Exploitation allows attackers to execute arbitrary code with the privileges of the logged-on user. Exploitation would require an attacker to host a maliciously crafted page on a website and entice users to visit that site. No further action is needed other than following a link to a malicious website. Before this issue was publicly reported, at least three independent security researchers had knowledge of this issue; thus, it is reasonable to believe that even more people were aware of this issue before disclosure.

DETECTION

iDefense has confirmed the existence of this vulnerability in atucfobj.dll file version 20.2008.2601.4928. All previous versions are suspected to be vulnerable.

WORKAROUND

The following workarounds are available for this vulnerability:

1. Unregister the vulnerable control by execute "regsvr32 /u [path to vuln dll]atucfobj.dll"

Depending on the installation method, the vulnerable control can be found in different locations within the file system. The most likely locations are under [Program Files directory]Webex or [Windows directory]Downloaded Program filesWebex directory. The latter directory is not viewable from Windows explorer, but can be viewed using command prompt.

2. Set the killbit for the vulnerable control CLSID 32E26FD9-F435-4A20-A561-35D4B987CFDC

After applying any of those workarounds, users are still able to join WebEx meetings; components relying on Universal Communications Format (UCF), such as playback, might not work properly.

VENDOR RESPONSE

Cisco has released an advisory which describes methods of updating the WebEx client and server software. Information about non-directly downloadable vendor fixes is accessible by following the URLs shown.

CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-3558 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.

DISCLOSURE TIMELINE

05/12/2008 Initial vendor notification
05/12/2008 PoC sent
08/14/2008 Public disclosure

CREDIT

This vulnerability was reported to iDefense by Tobias Klein.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

LEGAL NOTICES

Copyright © 2010 Verisign, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.