ZDI-18-1078

1. About ZDI-18-1078
2. Cisco WebEx Network Recording Player NMVC RtpConfig Stack-based Buffer Overflow Remote Code Execution Vulnerability
3.  
4. ZDI ID: ZDI-18-1078 or ZDI-CAN-6254
5. CVE ID: CVE-2018-15421
6. CVSS SCORE: 5.1, (AV:N/AC:H/Au:N/C:P/I:P/A:P)
7. AFFECTED VENDORS: Cisco
8. AFFECTED PRODUCTS: WebEx
9. Additonal Details: Cisco has issued an update to correct this vulnerability. More details can be found at: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180919-webex
10.  
11. Timeline:
12. * 2018-05-24 - Vulnerability reported to vendor
13. * 2018-09-21 - Coordinated public release of advisory
14. * 2018-09-21 - Advisory Updated
15.  
16. Credit: Ziad Badawi
17.  
18. Vulnerability Details
19. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Cisco WebEx Network Recording Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the NMVC.DLL module. When parsing an ARF file, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code under the context of the current process.
20.  
21. Over this past year, several different researchers submitted bug reports in the Cisco Webex suite of programs. However, in their more than 40 submissions, they missed this trivial stack-based buffer overflow. This blog details ZDI-18-1078, a vulnerability in Cisco Webex Network Recording Player version 31.23.2.58 (now reaching its EOL) that results in remote code execution.
22.  
23. The Vulnerability
24. When reading an Advanced Recording (.arf) file, the player attempts to access a file in the current directory named RtpConfig.ini. This action is not documented. The .ini file contains the configuration for what is likely a Real-Time Transport Protocol (RTP) service, but since there is no documentation of the file or the service, it may be something different.
25.  
26. The bug occurs in nmvc.dll inside a routine labeled sub_1001F479 that parses RtpConfig.ini and extracts its properties. The following snippet shows how the MinLostRate parameter is getting set up as well as other parameters going downwards.
27.  
28. The culprit here is a sscanf call, a banned function by Microsoft, with no width field in the format string. The sscanf function parses the .ini file contents and reads property values in order to match them to a set of hardcoded parameters. The format used is: %[^ \t#]%*[ \t]%[^ \t#]%n
29.  
30. which writes to three arguments. The first and third specifiers (%[^ \t#]) do not use a width value in between the % and [. This means it will read every character until it reaches whitespace. This will write to the passed arguments Str1 and Source disregarding their sizes and could lead to an overflow if input is large enough.
31.  
32. The .ini file is read in 0x3FF-byte chunks and, since both consecutive variables Source and Str1 are sized 0x100 and 0x106 bytes respectively, an overflow can occur leading to a corrupted stack.
33.  
34. Conclusion
35. Cisco patched this and two other vulnerabilities with advisory cisco-sa-20180919-webex. It is good to know that these versions are reaching their EOL, as many similar bugs have been submitted to the program. Hopefully, the newer versions are more secure. Bug submissions in enterprise software are on the rise, putting this category just behind Desktop Application and SCADA submissions. Considering how many of these programs exist in enterprises, this trend will likely continue.
36.  
37. You can find me on Twitter @ziadrb and follow the team for the latest exploit techniques and security patches.
38.  
39. From Zero Day Initiative: https://www.zerodayinitiative.com/blog/2018/9/27/cve-2018-15421-examining-a-stack-based-overflow-in-the-cisco-webex-network-recording-player