This week, Cisco engineers fixed a vulnerability in several versions of Jabber for Windows, video conferencing and messaging application. Fixed issues included an RCE bug that had the potential of a worm to execute arbitrary code on the victim’s system.
Specialists from the Norwegian information security firm Watchcom Security discovered the vulnerabilities when they conducted a penetration test of all currently supported versions of the Jabber client for Windows (12.1 – 12.9). Two of the four identified flaws could be used for remote arbitrary code execution.The most serious of the problems received the identifier CVE-2020-3495 and scored 9.9 out of 10 points on the CVSS scale. The fact is that the validation of the message content was carried out incorrectly, because attackers could send malicious XMPP messages to the vulnerable Jabber client, and as a result, this led to the execution of an arbitrary when in the vulnerable system (with the rights of the current user). Worse, such an attack had the potential of a worm, meaning that malware could spread from one user to another.
The root of the problem was that a filter designed to block potentially harmful content in messages did not cope with blocking the code that ended up calling the onanimationstart API.
So, while the filter effectively blocked content containing the %style% tag (which needed to be included in the payload), the researchers used code from a built-in animation component called spinner-grow to bypass the protection. In the end, they managed to create an XSS exploit that injected the payload directly into the built-in Jabber browser.
The Chromium Embedded Framework (CEF) sandbox typically stores the payload in a container that is isolated from the vulnerable parts of the application. To bypass this limitation and escape the sandbox, the researchers abused the window. CallCppFunction, which is designed to open files submitted by other Cisco Jabber users.
Because Cisco Jabber supports file transfers, an attacker can initiate the transfer of a file containing malicious.exe and force the victim to accept it using an XSS attack,” explain the experts. “Then the attacker can provoke a call to window.CallCppFunction, and as a result, the malicious file will be launched on the victim’s machine”
Another interesting vulnerability discovered by Watchcom experts has the identifier CVE-2020-3430 and is rated at 8.8 points out of 10. In this case, the exploitation of the bug affects the Cisco Jabber protocol handlers, which help the OS know what to do when the user clicks on the URL associated with Jabber.
Protocol handlers are vulnerable to command injection because they do not handle URLs that contain spaces correctly. By including a space in the URL, an attacker can inject arbitrary command line parameters that will eventually be passed to the application. Since the application uses CEF and accepts Chromium command line parameters, there are several parameters that can be used to execute arbitrary commands or load arbitrary DLLs. A good example is –GPU-launcher, which defines the command that will be executed when the CEF process starts”, — say the experts.
This vulnerability can be combined with XSS to execute code (without having to transfer files to the victim). Thus, the problem can be used to deliver malware without writing files to disk and bypassing most anti-virus programs.
The video below demonstrates PoC attacks in practice.
The vulnerabilities described affect Cisco Jabber for Windows from version 12.1 to version 12.9.1. Users who are still working with vulnerable versions are advised to update as soon as possible.
Let me also remind you that we talked about vulnerability in Cisco WebEx, which allows listening other people’s conversations.