WebExec vulnerability leaves Webex open to insider attacks

Researchers discovered a vulnerability in Cisco Webex, called WebExec, which allows local attackers to issue commands as privileged users.

Ron Bowes and Jeff McJunkin, researchers at Counter Hack -- a team that designs, builds and operates cyber ranges and provides penetration testing services -- found the Webex issue while trying to escalate local privileges on an end-user laptop, according to a blog post.

"A flaw in WebEx's WebexUpdateService allows anyone with a login to the Windows system where WebEx is installed to run system-level code remotely. That's right: this client-side application that doesn't listen on any ports is actually vulnerable to remote code execution! A local or domain account will work, making this a powerful way to pivot through networks until it's patched," Bowes and McJunkin wrote. "Eventually, we realized that this vulnerability is also exploitable remotely (given any domain user account) and decided to give it a name: WebExec. Because every good vulnerability has a name!"

The researchers said WebExec is a result of poor access control lists (ACL) in the WebExService Windows service that is installed alongside Webex. WebExService can execute code with system-level privilege. But because of the poor ACLs, "any local or domain user can start the process over Window's remote service interface (except on Windows 10, which requires an administrator login)," the researchers wrote.

Bowes and McJunkin developed Metasploit modules for testing purposes and Nmap scripts that can be used to detect the WebExec vulnerability. But they noted "this is one of those rare (or maybe not so rare?) instances where exploiting the vulnerability is actually easier than checking for it!"

"The patched version of WebEx still allows remote users to connect to the process and start it," the researchers wrote. "However, if the process detects that it's being asked to run an executable that is not signed by WebEx, the execution will halt. Unfortunately, that gives us no information about whether a host is vulnerable!"

Timothy Keeler, CEO and founder of Remediant, based in San Francisco, said the WebExec flaw "is dangerous, but not at the level of traditional remote code execution flaws."

"In order to successfully exploit this flaw, the attacker needs network access to the organization, credentials for an existing domain or local account, the Windows environment configured to allow remote service control management using the compromised account and a vulnerable version of Webex service," Keeler wrote via email.

"It is clever the researcher leveraged remote service management, but it does require a fair amount of access and privilege in order to carry it out," Keeler continued. "I doubt we'll see many uses of the exploits in the wild. I would highly recommend that organizations ensure the patch is deployed in their organization."

Lane Thames, senior security researcher at Tripwire, based in Portland, Ore., said WebExec wasn't "earth-shattering." But he still suggested organizations patch quickly, because "this vulnerability will be leveraged by malicious insiders and targeted attacks."

"The vulnerability requires a malicious actor to already have an account on the machine or on the domain. If an attacker has this foothold already within an organization's network, this vulnerability could be used to gain or escalate privileges on very sensitive machines, such as those used by senior executives and others," Thames wrote via email. "Attackers focused on intellectual property theft and corporate espionage will find this vulnerability very useful, especially considering how common Webex is within enterprise organizations."

Bowes and McJunkin said Cisco released a patch against WebExec on Oct. 3, but there is good and bad news with that patch.

"The good news is, the patched version of this service will only run files that are signed by WebEx," the researchers wrote. "The bad news is, there are a lot of those out there (including the vulnerable version of the service!), and the service can still be started remotely."