Sunday, September 21, 2008

Vulnerability rediscovery, XSS and a WebEx bug

Every security researcher who is hunting for bugs hates this particular situation: a vulnerability that you have found and reported to the vendor gets rediscovered and publicly disclosed by someone else. This just happened to me again but this time I decided to also disclose an advisory for the vulnerability.

The vulnerability I'm talking about affects an activex component of WebEx (CVE-2008-2737). See my advisory for a detailed technical description.

I found the vulnerability in april 2008 and Elazar Broad rediscovered it in june 2008. He also informed WebEx/Cisco about the vulnerability but then publicly disclosed it the full disclosure way. In his advisory he states: "When I reported this issue to the vendor, they had stated that they were aware of it, but would not say whether it was the result of an internal audit or an independent researcher". Well, that independent researcher was me ...

Now to the vulnerability: it is a classical stack overflow that can be reliably exploited to execute arbitrary code in the browser of the victim. As WebEx is *the* web conferencing tool there should be a lot of vulnerable browsers out there.

One interesting thing regarding the vulnerability is that while this control is marked as safe for scripting, it has been designed so that it can only be run from the "webex.com" domain. In practice this requirement can be bypassed through the use of any Cross Site Scripting (XSS) vulnerabilities in the WebEx domain. Well, at least in this scenario reflected (non-persistent) XSS turns out to be a *real* security threat ;)