-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: WebEx Meeting Manager ActiveX Stack Buffer Overflow Advisory ID: TKADV2008-009 Revision: 1.0 Release Date: 2008/09/21 Last Modified: 2008/09/21 Date Reported: 2008/04/08 Author: Tobias Klein (tk at trapkit.de) Affected Software: WebEx Meeting Manager Remotely Exploitable: Yes Locally Exploitable: No Vendor URL: http://www.webex.com Vendor Status: Vendor has released a fixed version CVE-ID: CVE-2008-2737 ====================== Vulnerability details: ====================== Remote exploitation of a stack-based buffer overflow vulnerability in WebEx's Meeting Manager allows attackers to execute arbitrary code with the credentials of the user visiting a malicious website. When WebEx's Meeting Manager is installed, the following vulnerable ActiveX control is registered on the system: ClassID: 32E26FD9-F435-4A20-A561-35D4B987CFDC ProgID : WebexUCFObject.WebexUCFObject.1 File : atucfobj.dll Version: 20.2008.2601.4928 While this control is marked as safe for scripting, the control has been designed so that it can only be run from the "webex.com" domain. In practice this requirement can be bypassed through the use of any Cross Site Scripting (XSS) vulnerabilities in the WebEx domain. Exploitation could also occur through the use of DNS poisoning attacks. ====================== Technical description: ====================== The NewObject() method of the ActiveX control with the CLSID 32E26FD9-F435- 4A20-A561-35D4B987CFDC was found to be vulnerable to a stack-based buffer overflow. Attacker supplied data with an arbitrary length is copied into a fixed-size stack buffer using the sprintf() function. Since no input validation is performed, it is possible to corrupt stack memory, resulting in an exploitable condition. Disassembly of atucfobj.dll (version 20.2008.2601.4928): [...] .text:1000B37D push ebp .text:1000B37E mov ebp, esp .text:1000B380 sub esp, 10Ch .text:1000B386 push edi .text:1000B387 lea eax, [ebp+SubKey] <-- [1] .text:1000B38D push [ebp+cbData] <-- [2] .text:1000B390 xor edi, edi .text:1000B392 push offset aAuthoring .text:1000B397 push offset aSoftwareWebexU .text:1000B39C push eax <-- [3] .text:1000B39D call ds:sprintf <-- [4] [...] [1] Destination stack buffer for sprintf() [2] User controlled source data for sprintf() [3] See [1] [4] The sprintf() function copies the user controlled data into the fixed-size stack buffer ========= Solution: ========= See reference [2]. ======== History: ======== 2008/04/06 - Discovery of the vulnerability 2008/04/08 - iDefense VCP notified 2008/06/20 - Rediscovery of the vulnerability by Elazar Broad [1] 2008/08/06 - Public disclosure of the vulnerability by Elazar Broad [1] with the following credit section: "When I reported this issue to the vendor, they had stated that they were aware of it, but would not say whether it was the result of an internal audit or an independent researcher." 2008/08/14 - Security advisory released by Webex/Cisco [2] 2008/09/17 - Release of this security advisory ======== Credits: ======== Vulnerability found and advisory written by Tobias Klein. =========== References: =========== [1] http://seclists.org/fulldisclosure/2008/Aug/0083.html [2] http://www.cisco.com/warp/public/707/cisco-sa-20080814-webex.shtml [3] http://www.trapkit.de/advisories/TKADV2008-009.txt ======== Changes: ======== Revision 1.0 - Public release =========== Disclaimer: =========== The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ================== PGP Signature Key: ================== http://www.trapkit.de/advisories/tk-advisories-signature-key.asc Copyright 2008 Tobias Klein. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP wj8DBQFI1oNFkXxgcAIbhEERAtuQAKDIt01kWtRrkhvprKw8iBw3Rm3bhQCghrJV s8NQOB3gx0BA0fOtqEyhqO0= =pvlN -----END PGP SIGNATURE-----