
Cisco: Magic WebEx URL Allows Arbitrary Remote Command Execution - QUFB
https://bugs.chromium.org/p/project-zero/issues/detail?id=1096
======
pilif
Oh my god. This is the pinnacle of stupidity and stuff like this is why over
time extensions will lose functionality until they will be removed completely.
Browser vendors understandably want blunders like this to not be happening.

We're yelling at browser vendors for locking down their browsers more and more
and for removing more and more features that allow developers more native
access, but then stuff like this happens.

Who thought that exposing the full native OS API via a (cumbersome) scripting
language was a good idea? Why does this need to be a browser extension and not
something I need to explicitly install on my machine?

Java Applets at least had a sandbox (albeit with flaky security). They have
gone away because of security concerns, but as people still need some native
access, people build stuff like this that is infinitely worse than what Java
has ever been. Instead of a single sandbox, we're now relying on an unlimited
amount of only mildly competent developers coming up with elaborate schemes
that do nothing but provide a slight bit of obscurity.

That uuid and the base64 encoding of the library name and function calls point
to the fact that the developers felt uncomfortable, which is good I guess.
That they then chose to use such an impotent method of protection is less so.
At this point, why did they even bother?

I'm starting to think that we are actually worse off now than we were in the
age of Java Applets and NSAPI plugins

~~~
gsnedders
And this is why browsers keep on pushing more and more features into the web
platform: to get rid of people writing extensions and plugins like this.

------
andmarios
WebEx is the worst conferencing software I've used. Their Linux support is
worst than non-existant. If it were non-existant that would be it, life could
go on. But no, they provide a java applet that runs only from firefox, that
it's impossible to use audio because they are still at 32bit, that claims to
share one application and instead shares your whole screen (and only if you
are lucky and someone tells you, you'll ever know), that occasionally (like
one hour before an important meeting) they release a version with bad
manifests and the applet refuses to download its components.

Even their Android client can't manage the mic volume properly and people
can't hear you.

~~~
cordite
Their phone line support seems to be high quality though, other participants
are more intelligible than Skype for business.

~~~
throwanem
Tin cans and string are more intelligible than Lync, aka "Skype for Business".
It's the worst thing I've ever used in this space, by an absurdly large
degree.

~~~
terrywang
I received a Lync / Skype for Business invitation (in G Suite - AKA Gmail)
with no time and date, which a URL (custom domain for this company). Clicking
on that link, dead link... (later on it was fixed but asked me to install add-
on, did it in a Windows virtual machine, join meeting, meeting expired...)

Ridiculous experience, worst web conferencing service I have ever used (I
consider it even worse than Oracle Beehive Conferencing - not many people know
this). In contrast, WebEx is way better (phone dial-in quality is pretty
good).

~~~
toyg
Oh gawd Beehive. Is it still alive? Why did Oracle ever think they should get
into groupware???

~~~
terrywang
I believe Oracle is still using Beehive Collaboration Suite
[https://stbeehive.oracle.com](https://stbeehive.oracle.com) (conferencing as
a part of the suite) internally, for email (thunderbird is the preferred
client WoW), calendar (CalDAV) etc.

Beehive Conferencing used to be the default option for remote web conferencing
(it actually has a better Linux version than WebEx). Beehive's predecessor,
cannot even remember the name, use to be Windows ONLY and crashes attendees'
Windows (BSOD) randomly (15-20%...) LoL

------
slg
>The extension works on any URL that contains the magic pattern "cwcsf-
nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html", which can be
extracted from the extensions manifest. Note that the pattern can occur in an
iframe, so there is not necessarily any user-visible indication of what is
happening, visiting any website would be enough.

It seems bonkers that someone would think it is a good idea to not at the very
least have any domain level validation. It is also another mark against the
more eyes mean more security mindset. That flaw would be available in clear
text to anyone who bothers to examine the manifest of the Chrome extension. It
just seems like no white hat bothered to look before.

------
Cyph0n
Tavis is at it again, huh. Man, is he one productive fellow!

Cisco's proposed fix for the exploit seems a bit hacky though.

~~~
EE84M3i
Tavis is an excellent researcher, but it's important to remember that finding
bugs and posting them publicly is his full-time job, so it's not too
surprising that he finds a few bugs that are noteworthy every month. He seems
to emphasize breadth rather than depth in his searching, which is part of the
reason he finds so many! After all, bugs are dense and most software is
crap...

I suspect there are many others who are just as capable of doing the same
work, but either A) don't have the opportunity (e.g. they have day jobs, few
people work on P0) or B) aren't as public about their findings (e.g. exploit
brokers, nation states, etc)

Anyway, that's what I remind myself whenever I start thinking "I wish I could
be as cool as Tavis". Someday I'd love to have have the opportunity to do the
same work.

~~~
Cyph0n
Agreed, but the fact that he's able to _consistently_ discover horrendous
exploits never ceases to impress me. I also love how he has broken basically
every major AV software out there.

------
nrjdhsbsid
I have and always will despise WebEx. It's the most non user friendly
enterprisey garbage I've ever dealt with.

Good luck using it if you have a single non technical client on call.

------
arca_vorago
As a sysadmin who spent years working with Cisco in business, I now advocate
business run away, not walk, as fast as possible from Cisco reps, lest they
get ahold of your budget and drain it while installing backdoors in your
systems, like the NSA loving techno-vampires they are.

~~~
damnfinecoffee
As someone who has friends who have worked for Cisco Security I can say with a
fair amount of confidence they're not "NSA loving techno-vampires"

Here's a whitepaper on one of their newer products that is fully end-to-end
encrypted (meaning anti-NSA):
[http://www.cisco.com/c/dam/en/us/solutions/collateral/collab...](http://www.cisco.com/c/dam/en/us/solutions/collateral/collaboration/cloud-
collaboration/cisco-spark-security-white-paper.pdf)

~~~
Cyph0n
I second this. My advisor and I recently visited Cisco to present some
embedded security work we've been doing. From what I could gather, they were
very interested in ensuring that their customers' applications and devices
were secure. They were also looking for ways to provide their customers with
ways to check for government backdoors.

~~~
epistasis
There's an honest question about how deep that support goes though. Is it just
that group, which is a tiny tiny part of a megacorp? How much influence do
they have on the huge number of shipped products? What percentage of shipped
Cisco products get a security review?

~~~
i336_
An alternative line of thought is, making the right noises for the customers
while also keeping the bribe budgets liquid, to put it crassly.

Putting my security researcher hat on, maybe this tiny little group's purpose
is to figure out and get intel on what directions customers are actually
looking in, so they know where to hide stuff.

Not comfortable talk, I know. I'm inspired by
[http://video.fosdem.org/2014/Janson/Sunday/NSA_operation_ORC...](http://video.fosdem.org/2014/Janson/Sunday/NSA_operation_ORCHESTRA_Annual_Status_Report.webm)
(46:05, well worth watching; 357MB)

------
ris
I was prompted to install the plugin for WebEx a few weeks ago to attend an
online meeting and am glad I had the right instincts about it. Everything
about it screamed "wrong decade".

------
nul_byte
WebEx is horrible software to begin with. Hopefully this just convincing more
companies to drop the monstrosity.

------
hobarrera
I'm honestly curious as to why they don't use browser APIs for WebEx. It seems
that they don't offer any feature that plenty of others manage to implement
with just plain ol' HTML5.

~~~
djrogers
Hard to do 25 user video and audio conferncing with shared desktop, chat, and
recording all in HTML5. In fact I don't think I'd be out of line to say that
it's impossible, so your assertion that others do so is dubious...

~~~
roddux
Isn't this what the Firefox Hello demo was for -- to prove that it's possible?

Multi-user screen sharing (I didn't realise this), video conferencing, chat
and audio. From your browser.

It's since been discontinued but the ideas (and means to do this) live on in
other projects; some listed here: [https://support.mozilla.org/en-US/kb/hello-
status](https://support.mozilla.org/en-US/kb/hello-status)

------
_joel
Interesting seeing the results of the Observatory[1] given at the bottom of
the report.

[1][https://observatory.mozilla.org/analyze.html?host=www.webex....](https://observatory.mozilla.org/analyze.html?host=www.webex.com)

~~~
dsp1234
www.firefox.com has a score of C, with a recent F score in their grade
history.

It looks like this is a really strong set of security requirements. According
to their stats, 87% of sites tested have an F score, and only 1.47% have an A-
or higher.

~~~
gsnedders
firefox.com has a relatively low score because of a goal to keep it accessible
by older browsers on older operating systems (i.e., out-of-the-box, you should
be able to load it on the oldest systems Firefox supports, which I believe
include XP SP2).

------
bitwize
Pass the Ball™ to random script kiddies and hostile government agencies with
WebEx!

------
chuckdries
If there's a supposed to be a 90 day disclosure lag, why is this on hacker
news today?

~~~
i336_
It got fixed. Note the discussion about high turnaround time.

EDIT: The better technical term would be "arguably patched." See reply below.

~~~
deathanatos
> _It got fixed._

Just so that nobody reading the comments gets the wrong idea: read the whole
discussion. Fixed here seems _very_ subjective; they only seem to have limited
the extension to the webex.com domain. In particular,

> _although this does mean any XSS on webex.com would allow remote code
> execution_

and

> _doesn 't use HTTP Strict Transport Security, either as a header or by being
> preloaded_

My understanding is that this means that not only would any XSS on webex.com
lead to possible exploitation, but also that anyone who can MitM your machine,
such as in a coffee shop, and use that to gain remote execution by
intercepting and faking a request to an unsecured webex.com. (Since no HSTS is
in place, the browser would allow it.)

The latter is less likely, but nonetheless, this extension seems to allow
anyone who can talk to it an RCE, which seems far from fixed.

~~~
spyder
Yeah, after a quick look I already found an XSS on a *.webex.com subdomain,
but it only works in Internet Explorer and Edge because these browsers doesn't
escape URLs, so it doesn't affect the Chrome or Firefox extensions but tells
something about how secure these subdomains are (and the IE browsers).

