Cisco WebEx Web Conferencing Extend Vulnerability Allows Arbitrary Code Execution

The expansion of Cisco WebEx is actively used by about 20 million people - it is part of the popular web conferencing software. Google researcher Tavis Omandi has published information about a vulnerability discovered by him in this component - the nativeMessaging technology used for his work allows any website to which a user is connected to execute arbitrary code.

WebEx extension works for any URL containing a special pattern (magic pattern) cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html — it is extracted from the extension manifest. The pattern can appear in the iframe - so the user can not always control the work of the extension. At the same time, the use of the nativeMessaging component allows any site that the user has logged on to execute arbitrary code.
')
The extension uses a complex protocol in which CustomEvent () objects are used to transfer JSON messages between the web page, the extension, and the native application code.

During the initialization process, the site first needs to request the opening of the port for communications from the application side:

 document.dispatchEvent(new CustomEvent("connect", { detail: { token: "token" }})); // token can be any string 

Messages can then be transmitted to the native code via message events. Several different types of messages are used - “hello”, “disconnect”, etc. According to Omandi, one of the most interesting is the “launch_meeting” message:

  document.dispatchEvent(new CustomEvent("message", { detail: { message: JSON.stringify(msg), message_type: "launch_meeting", timestamp: (new Date()).toUTCString(), token: "token" } })); 

The researcher went through the process of organizing the conference and recorded messages that were sent during the initialization process. In them, he found a lot of entities that can be used to execute code. Having deciphered the message strings, he discovered something like a scripting language with which the functions of the native code were called. As a result, Omandi managed to create an exploit that executes arbitrary code on the user's system (to test it, you need to check the presence on the WebEx computer).