var-201102-0052
Vulnerability from variot
Multiple stack-based buffer overflows in the Cisco WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players T27LB before SP21 EP3 and T27LC before SP22 allow remote attackers to execute arbitrary code via a crafted (1) .wrf or (2) .arf file, related to use of a function pointer in a callback mechanism. Cisco WebEx is a web conferencing solution. Cisco WebEx provides record format files for storing WebEX meeting notes, and WRF Player is an application for playing back and editing WRF files (files end with a .wrf extension). This vulnerability can be triggered by publishing a .wrf video file in a conference room: .text:6070C272 loc_6070C272: ; CODE XREF: sub_6070C050+255j.text:6070C272 test esi, esi.text:6070C274 jnz short loc_6070C28F.text:6070C276 push ebx.text :6070C277 call dword ptr [ebp+0Ch] ; call to function pointer on the stack.text:6070C27A add esp, 4.text:6070C27D test al, al.text:6070C27F jz loc_6070C374.text:6070C285 mov edi, [ebp+ 0].text:6070C288 mov esi, [ebp+4].text:6070C28B mov eax, [esp+0D98h+var_D80].text:6070C28F.text:6070C28F loc_6070C28F: ; CODE XREF: sub_6070C050+224j.text:6070C28F mov Cl, [edi] ; cl can be controlled, it is read from the malicious .wrf file.text:6070C291 dec esi.text:6070C292 mov [esp+eax+0D 98h+var_C8C], cl ; this mov overflows the stack with user controlled values.text:6070C299 mov ecx, [esp+0D98h+var_D84].text:6070C29D inc edi.text:6070C29E inc eax.text:6070C29F cmp eax, ecx .text:6070C2A1 mov [esp+0D98h+var_D80], eax.text:6070C2A5 jl short loc_6070C272. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because it fails to perform adequate boundary-checks on user-supplied data. An attacker can exploit these issues to execute arbitrary code with the privileges of the affected application. Failed exploit attempts will result in a denial-of-service condition.
The Cisco WebEx Players are applications that are used to play back WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The players can be automatically installed when the user accesses a recording file that is hosted on a WebEx server. The player can also be manually installed for offline playback after downloading the application from www.webex.com
If the WebEx recording player was automatically installed, it will be automatically upgraded to the latest, non-vulnerable version when users access a recording file that is hosted on a WebEx server. If the WebEx recording player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com
Cisco has released free software updates that address these vulnerabilities.
Affected Products
Vulnerable Products +------------------
The vulnerabilities disclosed in this advisory affect the Cisco WebEx recording players. Microsoft Windows, Apple Mac OS X, and Linux versions of the player are all affected. Affected versions of the players are those prior to client builds T27LC SP22 and T27LB SP21 EP3. Customers who have contractual agreements that prevent WebEx from automatically upgrading a recording player to the latest version should contact their account manager to determine upgrade options.
To determine whether a Cisco WebEx server is running an affected version of the WebEx client build, users can log in to their Cisco WebEx server and go to the Support > Downloads section. The version of the WebEx client build will be displayed on the right side of the page under "About Support Center." See "Software Versions and Fixes" for details.
Details
The WebEx meeting service is a hosted multimedia conferencing solution that is managed and maintained by Cisco WebEx. The WRF and ARF file formats are used to store WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The recording players can be automatically installed when the user accesses a recording file that is hosted on a WebEx server (for stream playback mode). The recording players can also be manually installed after downloading the application from www.webex.com/downloadplayer.html to play back recording files locally (for offline playback mode).
Multiple buffer overflow vulnerabilities exist in the WRF and ARF players. The vulnerabilities may lead to a crash of the player application or, in some cases, remote code execution could occur.
To exploit one of these vulnerabilities, the player application would need to open a malicious WRF or ARF file. An attacker may be able to accomplish this exploit by providing the malicious recording file directly to users (for example, by using e-mail) or by directing a user to a malicious web page.
These vulnerabilities have been assigned the following Common Vulnerabilities and Exposures (CVE) identifiers:
- CVE-2010-3269
- CVE-2010-3041
- CVE-2010-3042
- CVE-2010-3043
- CVE-2010-3044
Vulnerability Scoring Details
Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
- Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities
CVSS Base Score - 9.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete
CVSS Temporal Score - 7.7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed
Impact
Successful exploitation of the vulnerabilities described in this document could result in a crash of the Cisco WebEx ARF Player or WRF Player application and, in some cases, allow a remote attacker to execute arbitrary code on the system with the privileges of the user who is running the recording player application.
Software Versions and Fixes
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
These vulnerabilities are first fixed in T27LC SP22 and T27LB SP21 EP3. The client build will be determined after the software is deployed.
The client build is listed in the Support > Downloads section of the WebEx page after a user authenticates. WebEx bug fixes are cumulative in a major release. For example, if release 27.22SP.0 is fixed, release 27.22SP.1 will also have the software fix.
If a recording player was automatically installed, it will be automatically upgraded to the latest, nonvulnerable version when users access a recording file that is hosted on a WebEx server.
If a WebEx recording player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com/downloadplayer.html
Workarounds
There are no workarounds for the vulnerabilities disclosed in this advisory.
Obtaining Fixed Software
Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades.
Exploitation and Public Announcements
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
Cisco would like to thank these organizations for reporting these vulnerabilities.
Status of this Notice: FINAL
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.
Distribution
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml
In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients.
- cust-security-announce@cisco.com
- first-bulletins@lists.first.org
- bugtraq@securityfocus.com
- vulnwatch@vulnwatch.org
- cisco@spot.colorado.edu
- cisco-nsp@puck.nether.net
- full-disclosure@lists.grok.org.uk
- comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.
Revision History
+---------------------------------------+ | Revision | | Initial | | 1.0 | 2011-Feb-01 | public | | | | release. | +---------------------------------------+
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices.
+-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Core Security Technologies - Corelabs Advisory
http://corelabs.coresecurity.com/
Cisco WebEx .atp and .wrf Overflow Vulnerabilities
- Advisory Information
Title: Cisco WebEx .atp and .wrf Overflow Vulnerabilities Advisory ID: CORE-2010-1001 Advisory URL: [http://www.coresecurity.com/content/webex-atp-and-wrf-overflow-vulnerabilities] Date published: 2011-01-31 Date of last update: 2011-01-31 Vendors contacted: Cisco Release mode: Coordinated release
- Vulnerability Information
Class: Stack-based Buffer Overflow [CWE-121], Stack-based Buffer Overflow [CWE-121] Impact: Code execution Remotely Exploitable: Yes (client-side) Locally Exploitable: No CVE Name: CVE-2010-3269, CVE-2010-3270 Bugtraq ID: N/A
- Vulnerability Description
There are stack overflows on WebEx [1] that can be exploited by sending maliciously crafted .atp and .wrf files to a vulnerable WebEx user. When opened, these files trigger a reliably exploitable stack based buffer overflow. In the .atp case an exception handler can be overwritten on the stack, and most registers can be trivially overwritten.
- Vulnerable packages
. Contact Cisco for a list of vulnerable versions.
- Non-vulnerable packages
. Contact Cisco.
- Vendor Information, Solutions and Workarounds
All clients of WebEx Meeting Center should now be running a patched version according to Cisco. A non-vulnerable version of WebEx Player should be available at [http://www.webex.com/downloadplayer.html].
- Credits
These vulnerabilities were discovered and researched by Federico Muttis, Sebastian Tello and Manuel Muradas from Core Security Technologies during Bugweek 2010 as part of the "Cisco Baby Cisco!" team [2]. The publication of this advisory was coordinated by Pedro Varangot.
- Technical Description
8.1. WebEx Player .wrf Buffer Overflow [CVE-2010-3269]
WebEx Player can be used to playback recordings of WebEx sessions. These recordings can be stored using the .wrf closed and undocumented file format. This vulnerability can also be exploited by publishing a .wrf video file in a meeting, resulting in the compromise of the meeting's participants. WebEx Meeting Center .atp Buffer Overflow [CVE-2010-3270]
WebEx Meeting Center allows polls to be conducted between all participants of a WebEx session. By serving a specially crafted .atp file (used for conducting polls) the meeting host can then abruptly disconnect from the server, and when another client becomes host and tries to share the .atp file with the other clients arbitrary code execution is possible on his workstation. If his connection to the server is then severed by a malicious payload, the .atp file will be cycled to the next connected client. We developed trivial examples that take control of EIP using arbitrary characters.
- Report Timeline
. 2010-10-04: Core Security Technologies contacts Cisco PSIRT using their provided PGP key notifying them of the vulnerabilities and sending an advisory draft, a proof of concept for the WebEx Player vulnerability, and a proof of concept for the Meeting Center vulnerability including details of how to reproduce both vulnerabilities, and details about the behaviour of the PoC for the Player vulnerability on Windows XP SP2 (which overwrites EIP with 0x41414141 on that platform). October 18th 2010 (a two weeks timeframe) is set as a potential release date for the advisory. 2010-10-05: Cisco PSIRT contacts Core stating that their development team is out of the office till Friday October 8th. November 15th 2010 is mentioned as an estimated release date for a fix. 2010-10-05: Core replies to Cisco PSIRT postponing the release date of this advisory for one week, to Monday October 25th, in order to contemplate the fact that Cisco's development team is away from office for the week. Further changes to the release date will be made after receiving technical feedback. November the 15th is mentioned to be a possible date to settle on. 2010-10-11: Cisco PSIRT replies acknowledging "an exception in WebEx player" but that doesn't overwrite EIP as Core Security Technologies indicated. Cisco notifies that they were not able to reproduce the crash in WebEx Meeting Center. Cisco PSIRT also asks for more detailed information about the version of WebEx Player used. 2010-10-12: Core sends the requested information, also attaching new proof of concept exploits for the WebEx Player vulnerability (that now executes code and launches "calc.exe"), and further details about the steps needed to reproduce the WebEx Meeting Center crash. Details about the system where the proof of concept for the WebEx Player vulnerability was run are asked. Details about the "exception" are also asked, specially noting that if other registers are overwritten this should be considered as a vulnerability that would possibly lead to reliable code execution even if EIP was not modified (as noted by Core on the e-mail where the PoC was attached). No reply is received to this e-mail. 2010-10-19: Core resends the previous e-mail asking for news about reproduction of the vulnerability on Cisco's side and asking if there was any problem in the reception or interpretation of the last communication. No reply is received to this e-mail. 2010-10-28: Core Security Technologies resends the last e-mail, unilaterally rescheduling the publication of this advisory to November 8th 2010, which is closer to Cisco's initial estimation for the release of a fix. Core states its willingness to reschedule this publication date but only under firm commitment from Cisco to working seriously towards fixing this issue in a scheduled timeframe. An updated advisory draft is attached which includes an updated timeline. 2010-10-30: Cisco PSIRT replies acknowledging the vulnerability, stating that they were able to reproduce code execution results in the currently released version of WebEx, and a crash in their current development version. Cisco also states that there is not information yet from their development team about when a fix for this vulnerability will be released. 2010-11-09: Core replies offering more technical details about exploitation if they are needed, and reminding Cisco that the crash in their development version may also be exploitable even if the current proof of concept exploit only crashes it. The publication date for this advisory is rescheduled to November 22nd 2010. Core states that they will like to schedule a firm date for the release of information about this vulnerability to the public and hence would like to get more information from Cisco about the schedule for the release of a fix. 2010-11-15: Cisco states that fixed code will be deployed in mid-December, but since WebEx Meeting Center runs on a SaaS environment it takes about four or five weeks for all clients to be running the latest version of the code. 2010-12-06: Cisco contacts Core since no reply was received in the past two weeks, and clarifies that a fix will be deployed on December 15th and should be done on January 11th 2011. 2010-12-06: Core states that they believe this advisory should be released as soon as the fix is deployed, since diffing the WebEx binary on the client side gives full details about the WebEx Meeting Center vulnerability to an average skilled reverse engineer. Core schedules the publication of this advisory to December 15th 2010. 2010-12-07: Cisco contacts Core stating that releasing details about this vulnerability would endanger customers, since there is no action they can take to protect themselves because the responsibility of upgrading the code ran by the customer falls on Cisco. Cisco mentions that "many of these customers are probably shared between Cisco and Core Security". 2010-12-10: Cisco contacts Core stating that they have just discovered the WebEx Meeting Center Vulnerability affects a new set of customers that where not accounted for originally. These are customers running T27SP21 that can not be upgraded to SP22. An emergency patch will be released for SP21 in January 2011, and this sets back the date when all clients should be running an updated version to the "end of January, beginning of February."
. 2010-12-14: Core proposes to split this advisory into two different advisories to better accommodate the WebEx Meeting Center SaaS release cycle. On one advisory, the .wrf client side vulnerability would be described, and the other would be dedicated to the WebEx Meeting Center vulnerability that may compromise a meeting's host computer. Core believes this mitigates the risk in a more effective way, since clients can update WebEx Player by themselves on December 15th (the date when Cisco stated the fixed version would be released) and no details of the Meeting Center vulnerability would be released until all clients are running an updated version. 2010-12-15: Cisco states they wouldn't like the advisory to be splitted, and that they prefer Core Security Technologies to go ahead and release information about both vulnerabilities. 2010-12-15: Core states that they prefer to release two advisories because these are two different bugs, in two pieces of software, each one of them with a differently working update channel determined by the vendor. Core also informs Cisco that the download link for WebEx Player points to a vulnerable version as of today, and asks Cisco to clarify what date they meant as mid-December, since Core would like to know when a fixed version of WebEx Player will be available for download to be able to publish the WebEx Player vulnerability. 2010-12-16: Cisco replies saying that releasing two advisories seems like a good plan to them. Cisco also states that since many of their customers observe a lockdown policy during the holidays season, they take a "don't upgrade" policy of their own until Monday January 10th, 2011. That is the reason why the download link of WebEx Player has not been changed yet. 2011-01-10: Core states that they are ready to release this advisory on January 11th, and that releasing two separate advisories seems pointless now because the release date of both would be very similar, and the original idea was to mitigate the risk posed by the .wrf vulnerability. Core also states that they are reviewing the best course of action to take with the issue regarding clients running the old version of WebEx (T27SP21) that according to Cisco are unable to upgrade to SP22 since this was not accounted for previously. 2011-01-13: Core states that since they have committed previously to release the advisory taking into account Cisco's consideration about their SaaS patch deploy model, when factoring the issue of clients running the SP21 version of Meeting Center scheduled by Cisco for emergency update on January, a release date of January the 31st seems reasonable. This date should be taken as final and Core Security Technologies believes it takes into account all information given by Cisco about SaaS updating timeframes. If this is not the case Cisco is asked to rectify ASAP. 2011-01-14: Cisco confirms that the timeframe (publishing both vulnerabilities on January 31st) works for them. 2011-01-31: The advisory CORE-2010-1001 is published.
- References
[1] [http://www.webex.com/] [2] [http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=project&name=Bugweek]
- About CoreLabs
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: [http://corelabs.coresecurity.com].
- About Core Security Technologies
Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at [http://www.coresecurity.com].
- Disclaimer
The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/]
- PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at [http://www.coresecurity.com/files/attachments/core_security_advisories.asc].
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAk1HJwcACgkQyNibggitWa13VwCfVg6jVkuv3PhqmhNqZFIQO7CB L1YAni1ONdRqEYczbkvki9r0Y7nr9cIQ =9HdA -----END PGP SIGNATURE-----
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201102-0052",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "webex recording format player",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": "27.12"
},
{
"model": "webex advanced recording format player",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": "26.49"
},
{
"model": "webex recording format player",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": "27.13"
},
{
"model": "webex recording format player",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": "26.49"
},
{
"model": "webex advanced recording format player",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": "27.11.0.3328"
},
{
"model": "webex advanced recording format player",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": "27.10"
},
{
"model": "webex recording format player",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": "27.11.0.3328"
},
{
"model": "webex recording format player",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": "27.10"
},
{
"model": "webex advanced recording format player",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": "27.12"
},
{
"model": "webex advanced recording format player",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": "27.13"
},
{
"model": "webex advanced recording format player",
"scope": "lt",
"trust": 0.8,
"vendor": "cisco",
"version": "t27lb of sp21 ep3"
},
{
"model": "webex advanced recording format player",
"scope": "lt",
"trust": 0.8,
"vendor": "cisco",
"version": "t27lc of sp22"
},
{
"model": "webex recording format player",
"scope": "lt",
"trust": 0.8,
"vendor": "cisco",
"version": "t27lb of sp21 ep3"
},
{
"model": "webex recording format player",
"scope": "lt",
"trust": 0.8,
"vendor": "cisco",
"version": "t27lc of sp22"
},
{
"model": "webex",
"scope": null,
"trust": 0.6,
"vendor": "cisco",
"version": null
},
{
"model": "webex",
"scope": "eq",
"trust": 0.6,
"vendor": "cisco",
"version": "27.00"
},
{
"model": "webex",
"scope": "eq",
"trust": 0.6,
"vendor": "cisco",
"version": "26.00"
},
{
"model": "webex 27lc sp22",
"scope": "ne",
"trust": 0.6,
"vendor": "cisco",
"version": null
},
{
"model": "webex 27lb sp21 ep3",
"scope": "ne",
"trust": 0.6,
"vendor": "cisco",
"version": null
},
{
"model": "webex",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "27.10"
},
{
"model": "webex",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "26.49.32"
},
{
"model": "webex (mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "x)27.11.8"
},
{
"model": "webex (mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "x)26.49.35"
},
{
"model": "webex (mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "x)27.00"
},
{
"model": "webex (mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "x)26.00"
},
{
"model": "webex",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "27.11.8"
},
{
"model": "webex",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "26.49.35"
},
{
"model": "webex",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"model": "webex (mac os 27lc sp22",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "x)"
},
{
"model": "webex (mac os 27lb sp21 ep3",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "x)"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-0411"
},
{
"db": "BID",
"id": "46075"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-003863"
},
{
"db": "NVD",
"id": "CVE-2010-3269"
},
{
"db": "CNNVD",
"id": "CNNVD-201102-032"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:cisco:webex_recording_format_player:27.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:cisco:webex_recording_format_player:27.11.0.3328:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:cisco:webex_recording_format_player:27.13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:cisco:webex_recording_format_player:26.49:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:cisco:webex_recording_format_player:27.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:cisco:webex_advanced_recording_format_player:27.13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:cisco:webex_advanced_recording_format_player:26.49:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:cisco:webex_advanced_recording_format_player:27.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:cisco:webex_advanced_recording_format_player:27.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:cisco:webex_advanced_recording_format_player:27.11.0.3328:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2010-3269"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Federico MuttisTippingPoint \u003chttp://www.tippingpoint.com/\u003e",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201102-032"
}
],
"trust": 0.6
},
"cve": "CVE-2010-3269",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 9.3,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2010-3269",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"id": "VHN-45874",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2010-3269",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201102-032",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-45874",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-45874"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-003863"
},
{
"db": "NVD",
"id": "CVE-2010-3269"
},
{
"db": "CNNVD",
"id": "CNNVD-201102-032"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Multiple stack-based buffer overflows in the Cisco WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players T27LB before SP21 EP3 and T27LC before SP22 allow remote attackers to execute arbitrary code via a crafted (1) .wrf or (2) .arf file, related to use of a function pointer in a callback mechanism. Cisco WebEx is a web conferencing solution. Cisco WebEx provides record format files for storing WebEX meeting notes, and WRF Player is an application for playing back and editing WRF files (files end with a .wrf extension). This vulnerability can be triggered by publishing a .wrf video file in a conference room: .text:6070C272 loc_6070C272: ; CODE XREF: sub_6070C050+255j.text:6070C272 test esi, esi.text:6070C274 jnz short loc_6070C28F.text:6070C276 push ebx.text :6070C277 call dword ptr [ebp+0Ch] ; call to function pointer on the stack.text:6070C27A add esp, 4.text:6070C27D test al, al.text:6070C27F jz loc_6070C374.text:6070C285 mov edi, [ebp+ 0].text:6070C288 mov esi, [ebp+4].text:6070C28B mov eax, [esp+0D98h+var_D80].text:6070C28F.text:6070C28F loc_6070C28F: ; CODE XREF: sub_6070C050+224j.text:6070C28F mov Cl, [edi] ; cl can be controlled, it is read from the malicious .wrf file.text:6070C291 dec esi.text:6070C292 mov [esp+eax+0D 98h+var_C8C], cl ; this mov overflows the stack with user controlled values.text:6070C299 mov ecx, [esp+0D98h+var_D84].text:6070C29D inc edi.text:6070C29E inc eax.text:6070C29F cmp eax, ecx .text:6070C2A1 mov [esp+0D98h+var_D80], eax.text:6070C2A5 jl short loc_6070C272. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because it fails to perform adequate boundary-checks on user-supplied data. \nAn attacker can exploit these issues to execute arbitrary code with the privileges of the affected application. Failed exploit attempts will result in a denial-of-service condition. \n\nThe Cisco WebEx Players are applications that are used to play back\nWebEx meeting recordings that have been recorded on the computer of\nan on-line meeting attendee. The players can be automatically\ninstalled when the user accesses a recording file that is hosted on a\nWebEx server. The player can also be manually installed for offline\nplayback after downloading the application from www.webex.com\n\nIf the WebEx recording player was automatically installed, it will be\nautomatically upgraded to the latest, non-vulnerable version when\nusers access a recording file that is hosted on a WebEx server. If\nthe WebEx recording player was manually installed, users will need to\nmanually install a new version of the player after downloading the\nlatest version from www.webex.com \n\nCisco has released free software updates that address these\nvulnerabilities. \n\nAffected Products\n=================\n\nVulnerable Products\n+------------------\n\nThe vulnerabilities disclosed in this advisory affect the Cisco WebEx\nrecording players. Microsoft Windows, Apple Mac OS X, and Linux\nversions of the player are all affected. Affected versions of the\nplayers are those prior to client builds T27LC SP22 and T27LB SP21\nEP3. Customers who have contractual agreements that prevent WebEx\nfrom automatically upgrading a recording player to the latest version\nshould contact their account manager to determine upgrade options. \n\nTo determine whether a Cisco WebEx server is running an affected\nversion of the WebEx client build, users can log in to their Cisco\nWebEx server and go to the Support \u003e Downloads section. The version\nof the WebEx client build will be displayed on the right side of the\npage under \"About Support Center.\" See \"Software Versions and Fixes\"\nfor details. \n\nDetails\n=======\n\nThe WebEx meeting service is a hosted multimedia conferencing\nsolution that is managed and maintained by Cisco WebEx. The WRF and\nARF file formats are used to store WebEx meeting recordings that have\nbeen recorded on the computer of an on-line meeting attendee. The recording\nplayers can be automatically installed when the user accesses a\nrecording file that is hosted on a WebEx server (for stream playback\nmode). The recording players can also be manually installed after\ndownloading the application from www.webex.com/downloadplayer.html\nto play back recording files locally (for offline\nplayback mode). \n\nMultiple buffer overflow vulnerabilities exist in the WRF and ARF\nplayers. The vulnerabilities may lead to a crash of the player\napplication or, in some cases, remote code execution could occur. \n\nTo exploit one of these vulnerabilities, the player application would\nneed to open a malicious WRF or ARF file. An attacker may be able to\naccomplish this exploit by providing the malicious recording file\ndirectly to users (for example, by using e-mail) or by directing a\nuser to a malicious web page. \n\nThese vulnerabilities have been assigned the following Common\nVulnerabilities and Exposures (CVE) identifiers:\n\n * CVE-2010-3269\n * CVE-2010-3041\n * CVE-2010-3042\n * CVE-2010-3043\n * CVE-2010-3044\n\nVulnerability Scoring Details\n\nCisco has provided scores for the vulnerabilities in this advisory\nbased on the Common Vulnerability Scoring System (CVSS). The CVSS\nscoring in this Security Advisory is done in accordance with CVSS\nversion 2.0. \n\nCVSS is a standards-based scoring method that conveys vulnerability\nseverity and helps determine urgency and priority of response. \n\nCisco has provided a base and temporal score. Customers can then\ncompute environmental scores to assist in determining the impact of\nthe vulnerability in individual networks. \n\nCisco has provided an FAQ to answer additional questions regarding\nCVSS at:\n\nhttp://www.cisco.com/web/about/security/intelligence/cvss-qandas.html\n\n\nCisco has also provided a CVSS calculator to help compute the\nenvironmental impact for individual networks at:\n\nhttp://intellishield.cisco.com/security/alertmanager/cvss \n\n* Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities\n\nCVSS Base Score - 9.3\n Access Vector - Network\n Access Complexity - Medium\n Authentication - None\n Confidentiality Impact - Complete\n Integrity Impact - Complete\n Availability Impact - Complete\n\nCVSS Temporal Score - 7.7\n Exploitability - Functional\n Remediation Level - Official-Fix\n Report Confidence - Confirmed\n\n\nImpact\n======\n\nSuccessful exploitation of the vulnerabilities described in this\ndocument could result in a crash of the Cisco WebEx ARF Player or WRF\nPlayer application and, in some cases, allow a remote attacker to\nexecute arbitrary code on the system with the privileges of the user\nwho is running the recording player application. \n\nSoftware Versions and Fixes\n===========================\n\nWhen considering software upgrades, also consult http://www.cisco.com/go/psirt\nand any subsequent advisories to determine exposure and a\ncomplete upgrade solution. \n\nThese vulnerabilities are first fixed in T27LC SP22 and T27LB SP21\nEP3. \nThe client build will be determined after the software is deployed. \n\nThe client build is listed in the Support \u003e Downloads section of the\nWebEx page after a user authenticates. WebEx bug fixes are cumulative\nin a major release. For example, if release 27.22SP.0 is fixed,\nrelease 27.22SP.1 will also have the software fix. \n\nIf a recording player was automatically installed, it will be\nautomatically upgraded to the latest, nonvulnerable version when\nusers access a recording file that is hosted on a WebEx server. \n\nIf a WebEx recording player was manually installed, users will need\nto manually install a new version of the player after downloading the\nlatest version from www.webex.com/downloadplayer.html\n\nWorkarounds\n===========\n\nThere are no workarounds for the vulnerabilities disclosed in this\nadvisory. \n\nObtaining Fixed Software\n========================\n\nCisco has released free software updates that address these\nvulnerabilities. Prior to deploying software, customers should\nconsult their maintenance provider or check the software for feature\nset compatibility and known issues specific to their environment. \n\nCustomers may only install and expect support for the feature sets\nthey have purchased. By installing, downloading, accessing or\notherwise using such software upgrades, customers agree to be bound\nby the terms of Cisco\u0027s software license terms found at \nhttp://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,\nor as otherwise set forth at Cisco.com Downloads at\nhttp://www.cisco.com/public/sw-center/sw-usingswc.shtml \n\nDo not contact psirt@cisco.com or security-alert@cisco.com for\nsoftware upgrades. \n\nExploitation and Public Announcements\n=====================================\n\nThe Cisco PSIRT is not aware of any public announcements or malicious\nuse of the vulnerability described in this advisory. \n\nCisco would like to thank these organizations for reporting these\nvulnerabilities. \n\nStatus of this Notice: FINAL\n============================\n\nTHIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY\nKIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF\nMERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE\nINFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS\nAT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS\nDOCUMENT AT ANY TIME. \n\nA stand-alone copy or Paraphrase of the text of this document that\nomits the distribution URL in the following section is an\nuncontrolled copy, and may lack important information or contain\nfactual errors. \n\nDistribution\n============\n\nThis advisory is posted on Cisco\u0027s worldwide website at :\n\nhttp://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml\n\nIn addition to worldwide web posting, a text version of this notice\nis clear-signed with the Cisco PSIRT PGP key and is posted to the\nfollowing e-mail and Usenet news recipients. \n\n * cust-security-announce@cisco.com\n * first-bulletins@lists.first.org\n * bugtraq@securityfocus.com\n * vulnwatch@vulnwatch.org\n * cisco@spot.colorado.edu\n * cisco-nsp@puck.nether.net\n * full-disclosure@lists.grok.org.uk\n * comp.dcom.sys.cisco@newsgate.cisco.com\n\nFuture updates of this advisory, if any, will be placed on Cisco\u0027s\nworldwide website, but may or may not be actively announced on\nmailing lists or newsgroups. Users concerned about this problem are\nencouraged to check the above URL for any updates. \n\nRevision History\n================\n\n+---------------------------------------+\n| Revision | | Initial |\n| 1.0 | 2011-Feb-01 | public |\n| | | release. |\n+---------------------------------------+\n\nCisco Security Procedures\n=========================\n\nComplete information on reporting security vulnerabilities in Cisco\nproducts, obtaining assistance with security incidents, and\nregistering to receive security information from Cisco, is available\non Cisco\u0027s worldwide website at \nhttp://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. \nThis includes instructions for press inquiries regarding Cisco security notices. \n\n+--------------------------------------------------------------------\nCopyright 2010-2011 Cisco Systems, Inc. All rights reserved. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n Core Security Technologies - Corelabs Advisory\n http://corelabs.coresecurity.com/\n\n Cisco WebEx .atp and .wrf Overflow Vulnerabilities\n\n\n\n1. *Advisory Information*\n\nTitle: Cisco WebEx .atp and .wrf Overflow Vulnerabilities\nAdvisory ID: CORE-2010-1001\nAdvisory URL:\n[http://www.coresecurity.com/content/webex-atp-and-wrf-overflow-vulnerabilities]\nDate published: 2011-01-31\nDate of last update: 2011-01-31\nVendors contacted: Cisco\nRelease mode: Coordinated release\n\n\n\n2. *Vulnerability Information*\n\nClass: Stack-based Buffer Overflow [CWE-121], Stack-based Buffer\nOverflow [CWE-121]\nImpact: Code execution\nRemotely Exploitable: Yes (client-side)\nLocally Exploitable: No\nCVE Name: CVE-2010-3269, CVE-2010-3270\nBugtraq ID: N/A\n\n\n\n3. *Vulnerability Description*\n\nThere are stack overflows on WebEx [1] that can be exploited by sending\nmaliciously crafted .atp and .wrf files to a vulnerable WebEx user. When\nopened, these files trigger a reliably exploitable stack based buffer\noverflow. In the .atp case an exception\nhandler can be overwritten on the stack, and most registers can be\ntrivially overwritten. \n\n\n4. *Vulnerable packages*\n\n . Contact Cisco for a list of vulnerable versions. \n\n\n5. *Non-vulnerable packages*\n\n . Contact Cisco. \n\n\n6. *Vendor Information, Solutions and Workarounds*\n\nAll clients of WebEx Meeting Center should now be running a patched\nversion according to Cisco. A non-vulnerable version of WebEx Player\nshould be available at [http://www.webex.com/downloadplayer.html]. \n\n\n7. *Credits*\n\nThese vulnerabilities were discovered and researched by Federico Muttis,\nSebastian Tello and Manuel Muradas from Core Security Technologies\nduring Bugweek 2010 as part of the \"Cisco Baby Cisco!\" team [2]. The\npublication of this advisory was coordinated by Pedro Varangot. \n\n\n8. *Technical Description*\n\n\n8.1. *WebEx Player .wrf Buffer Overflow [CVE-2010-3269]*\n\nWebEx Player can be used to playback recordings of WebEx sessions. These\nrecordings can be stored using the .wrf closed and undocumented file\nformat. This vulnerability can also be exploited by publishing a .wrf\nvideo file in a meeting, resulting in the compromise of the meeting\u0027s\nparticipants. *WebEx Meeting Center .atp Buffer Overflow [CVE-2010-3270]*\n\nWebEx Meeting Center allows polls to be conducted between all\nparticipants of a WebEx session. By serving a specially crafted .atp\nfile (used for conducting polls) the meeting host can then abruptly\ndisconnect from the server, and when another client becomes host and\ntries to share the .atp file with the other clients arbitrary code\nexecution is possible on his workstation. If his connection to the\nserver is then severed by a malicious payload, the .atp file will be\ncycled to the next connected client. We\ndeveloped trivial examples that take control of EIP using arbitrary\ncharacters. \n\n\n9. *Report Timeline*\n\n. 2010-10-04:\nCore Security Technologies contacts Cisco PSIRT using their provided PGP\nkey notifying them of the vulnerabilities and sending an advisory draft,\na proof of concept for the WebEx Player vulnerability, and a proof of\nconcept for the Meeting Center vulnerability including details of how to\nreproduce both vulnerabilities, and details about the behaviour of the\nPoC for the Player vulnerability on Windows XP SP2 (which overwrites EIP\nwith 0x41414141 on that platform). October 18th 2010 (a two weeks\ntimeframe) is set as a potential release date for the advisory. 2010-10-05:\nCisco PSIRT contacts Core stating that their development team is out of\nthe office till Friday October 8th. November 15th 2010 is mentioned as\nan estimated release date for a fix. 2010-10-05:\nCore replies to Cisco PSIRT postponing the release date of this advisory\nfor one week, to Monday October 25th, in order to contemplate the fact\nthat Cisco\u0027s development team is away from office for the week. Further\nchanges to the release date will be made after receiving technical\nfeedback. November the 15th is mentioned to be a possible date to settle\non. 2010-10-11:\nCisco PSIRT replies acknowledging \"an exception in WebEx player\" but\nthat doesn\u0027t overwrite EIP as Core Security Technologies indicated. \nCisco notifies that they were not able to reproduce the crash in WebEx\nMeeting Center. Cisco PSIRT also asks for more detailed information\nabout the version of WebEx Player used. 2010-10-12:\nCore sends the requested information, also attaching new proof of\nconcept exploits for the WebEx Player vulnerability (that now executes\ncode and launches \"calc.exe\"), and further details about the steps\nneeded to reproduce the WebEx Meeting Center crash. Details about the\nsystem where the proof of concept for the WebEx Player vulnerability was\nrun are asked. Details about the \"exception\" are also asked, specially\nnoting that if other registers are overwritten this should be considered\nas a vulnerability that would possibly lead to reliable code execution\neven if EIP was not modified (as noted by Core on the e-mail where the\nPoC was attached). No reply is received to this e-mail. 2010-10-19:\nCore resends the previous e-mail asking for news about reproduction of\nthe vulnerability on Cisco\u0027s side and asking if there was any problem in\nthe reception or interpretation of the last communication. No reply is\nreceived to this e-mail. 2010-10-28:\nCore Security Technologies resends the last e-mail, unilaterally\nrescheduling the publication of this advisory to November 8th 2010,\nwhich is closer to Cisco\u0027s initial estimation for the release of a fix. \nCore states its willingness to reschedule this publication date but only\nunder firm commitment from Cisco to working seriously towards fixing\nthis issue in a scheduled timeframe. An updated advisory draft is\nattached which includes an updated timeline. 2010-10-30:\nCisco PSIRT replies acknowledging the vulnerability, stating that they\nwere able to reproduce code execution results in the currently released\nversion of WebEx, and a crash in their current development version. \nCisco also states that there is not information yet from their\ndevelopment team about when a fix for this vulnerability will be released. 2010-11-09:\nCore replies offering more technical details about exploitation if they\nare needed, and reminding Cisco that the crash in their development\nversion may also be exploitable even if the current proof of concept\nexploit only crashes it. The publication date for this advisory is\nrescheduled to November 22nd 2010. Core states that they will like to\nschedule a firm date for the release of information about this\nvulnerability to the public and hence would like to get more information\nfrom Cisco about the schedule for the release of a fix. 2010-11-15:\nCisco states that fixed code will be deployed in mid-December, but since\nWebEx Meeting Center runs on a SaaS environment it takes about four or\nfive weeks for all clients to be running the latest version of the code. 2010-12-06:\nCisco contacts Core since no reply was received in the past two weeks,\nand clarifies that a fix will be deployed on December 15th and should be\ndone on January 11th 2011. 2010-12-06:\nCore states that they believe this advisory should be released as soon\nas the fix is deployed, since diffing the WebEx binary on the client\nside gives full details about the WebEx Meeting Center vulnerability to\nan average skilled reverse engineer. Core schedules the publication of\nthis advisory to December 15th 2010. 2010-12-07:\nCisco contacts Core stating that releasing details about this\nvulnerability would endanger customers, since there is no action they\ncan take to protect themselves because the responsibility of upgrading\nthe code ran by the customer falls on Cisco. Cisco mentions that \"many\nof these customers are probably shared between Cisco and Core Security\". 2010-12-10:\nCisco contacts Core stating that they have just discovered the WebEx\nMeeting Center Vulnerability affects a new set of customers that where\nnot accounted for originally. These are customers running T27SP21 that\ncan not be upgraded to SP22. An emergency patch will be released for\nSP21 in January 2011, and this sets back the date when all clients\nshould be running an updated version to the \"end of January, beginning\nof February.\"\n\n. 2010-12-14:\nCore proposes to split this advisory into two different advisories to\nbetter accommodate the WebEx Meeting Center SaaS release cycle. On one\nadvisory, the .wrf client side vulnerability would be described, and the\nother would be dedicated to the WebEx Meeting Center vulnerability that\nmay compromise a meeting\u0027s host computer. Core believes this mitigates\nthe risk in a more effective way, since clients can update WebEx Player\nby themselves on December 15th (the date when Cisco stated the fixed\nversion would be released) and no details of the Meeting Center\nvulnerability would be released until all clients are running an updated\nversion. 2010-12-15:\nCisco states they wouldn\u0027t like the advisory to be splitted, and that\nthey prefer Core Security Technologies to go ahead and release\ninformation about both vulnerabilities. 2010-12-15:\nCore states that they prefer to release two advisories because these are\ntwo different bugs, in two pieces of software, each one of them with a\ndifferently working update channel determined by the vendor. Core also\ninforms Cisco that the download link for WebEx Player points to a\nvulnerable version as of today, and asks Cisco to clarify what date they\nmeant as mid-December, since Core would like to know when a fixed\nversion of WebEx Player will be available for download to be able to\npublish the WebEx Player vulnerability. 2010-12-16:\nCisco replies saying that releasing two advisories seems like a good\nplan to them. Cisco also states that since many of their customers\nobserve a lockdown policy during the holidays season, they take a \"don\u0027t\nupgrade\" policy of their own until Monday January 10th, 2011. That is\nthe reason why the download link of WebEx Player has not been changed yet. 2011-01-10:\nCore states that they are ready to release this advisory on January\n11th, and that releasing two separate advisories seems pointless now\nbecause the release date of both would be very similar, and the original\nidea was to mitigate the risk posed by the .wrf vulnerability. Core also\nstates that they are reviewing the best course of action to take with\nthe issue regarding clients running the old version of WebEx (T27SP21)\nthat according to Cisco are unable to upgrade to SP22 since this was not\naccounted for previously. 2011-01-13:\nCore states that since they have committed previously to release the\nadvisory taking into account Cisco\u0027s consideration about their SaaS\npatch deploy model, when factoring the issue of clients running the SP21\nversion of Meeting Center scheduled by Cisco for emergency update on\nJanuary, a release date of January the 31st seems reasonable. This date\nshould be taken as final and Core Security Technologies believes it\ntakes into account all information given by Cisco about SaaS updating\ntimeframes. If this is not the case Cisco is asked to rectify ASAP. 2011-01-14:\nCisco confirms that the timeframe (publishing both vulnerabilities on\nJanuary 31st) works for them. 2011-01-31:\nThe advisory CORE-2010-1001 is published. \n\n\n\n10. *References*\n\n[1] [http://www.webex.com/]\n[2]\n[http://corelabs.coresecurity.com/index.php?module=Wiki\u0026action=view\u0026type=project\u0026name=Bugweek]\n\n\n11. *About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\n[http://corelabs.coresecurity.com]. \n\n\n12. *About Core Security Technologies*\n\nCore Security Technologies develops strategic solutions that help\nsecurity-conscious organizations worldwide develop and maintain a\nproactive process for securing their networks. The company\u0027s flagship\nproduct, CORE IMPACT, is the most comprehensive product for performing\nenterprise security assurance testing. CORE IMPACT evaluates network,\nendpoint and end-user vulnerabilities and identifies what resources are\nexposed. It enables organizations to determine if current security\ninvestments are detecting and preventing attacks. Core Security\nTechnologies augments its leading technology solution with world-class\nsecurity consulting services, including penetration testing and software\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\n[http://www.coresecurity.com]. \n\n\n13. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2011 Core Security\nTechnologies and (c) 2011 CoreLabs, and are licensed under a Creative\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\nLicense: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/]\n\n\n14. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\n[http://www.coresecurity.com/files/attachments/core_security_advisories.asc]. \n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.9 (MingW32)\n\niEYEARECAAYFAk1HJwcACgkQyNibggitWa13VwCfVg6jVkuv3PhqmhNqZFIQO7CB\nL1YAni1ONdRqEYczbkvki9r0Y7nr9cIQ\n=9HdA\n-----END PGP SIGNATURE-----\n\n_______________________________________________\nFull-Disclosure - We believe in it. \nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\nHosted and sponsored by Secunia - http://secunia.com/\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2010-3269"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-003863"
},
{
"db": "CNVD",
"id": "CNVD-2011-0411"
},
{
"db": "BID",
"id": "46075"
},
{
"db": "VULHUB",
"id": "VHN-45874"
},
{
"db": "PACKETSTORM",
"id": "98073"
},
{
"db": "PACKETSTORM",
"id": "98038"
}
],
"trust": 2.7
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-45874",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-45874"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2010-3269",
"trust": 3.6
},
{
"db": "BID",
"id": "46075",
"trust": 2.0
},
{
"db": "SECTRACK",
"id": "1025015",
"trust": 1.7
},
{
"db": "VUPEN",
"id": "ADV-2011-0261",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2011-003863",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201102-032",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2011-0411",
"trust": 0.6
},
{
"db": "XF",
"id": "65076",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20110131 [CORE-2010-1001] CISCO WEBEX .ATP AND .WRF OVERFLOW VULNERABILITIES",
"trust": 0.6
},
{
"db": "CISCO",
"id": "20110201 MULTIPLE CISCO WEBEX PLAYER VULNERABILITIES",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "16391",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "98038",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-45874",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "98073",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-0411"
},
{
"db": "VULHUB",
"id": "VHN-45874"
},
{
"db": "BID",
"id": "46075"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-003863"
},
{
"db": "PACKETSTORM",
"id": "98073"
},
{
"db": "PACKETSTORM",
"id": "98038"
},
{
"db": "NVD",
"id": "CVE-2010-3269"
},
{
"db": "CNNVD",
"id": "CNNVD-201102-032"
}
]
},
"id": "VAR-201102-0052",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-0411"
},
{
"db": "VULHUB",
"id": "VHN-45874"
}
],
"trust": 1.3453525499999999
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-0411"
}
]
},
"last_update_date": "2023-12-18T12:58:25.400000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "cisco-sa-20110201-webex",
"trust": 0.8,
"url": "http://www.cisco.com/en/us/products/products_security_advisory09186a0080b6913f.shtml"
},
{
"title": "cisco-sa-20110201-webex",
"trust": 0.8,
"url": "http://www.cisco.com/cisco/web/support/jp/110/1103/1103539_cisco-sa-20110201-webex-j.html"
},
{
"title": "Patch for Cisco WebEx Remote Stack Buffer Overflow Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/2786"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-0411"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-003863"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-45874"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-003863"
},
{
"db": "NVD",
"id": "CVE-2010-3269"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "http://www.coresecurity.com/content/webex-atp-and-wrf-overflow-vulnerabilities"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/46075"
},
{
"trust": 1.7,
"url": "http://www.cisco.com/en/us/products/products_security_advisory09186a0080b6913f.shtml"
},
{
"trust": 1.7,
"url": "http://tools.cisco.com/security/center/viewalert.x?alertid=22016"
},
{
"trust": 1.7,
"url": "http://securitytracker.com/id?1025015"
},
{
"trust": 1.7,
"url": "http://www.vupen.com/english/advisories/2011/0261"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/516095/100/0/threaded"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/65076"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-3269"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-3269"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/65076"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/516095/100/0/threaded"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/16391"
},
{
"trust": 0.4,
"url": "http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml"
},
{
"trust": 0.3,
"url": "http://www.webex.com/"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2010-3269"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/en/us/products/products_security_vulnerability_policy.html."
},
{
"trust": 0.1,
"url": "http://www.cisco.com/go/psirt"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2010-3043"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml."
},
{
"trust": 0.1,
"url": "http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html"
},
{
"trust": 0.1,
"url": "https://www.webex.com/downloadplayer.html"
},
{
"trust": 0.1,
"url": "https://www.webex.com"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2010-3044"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2010-3041"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2010-3042"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/go/psirt."
},
{
"trust": 0.1,
"url": "http://www.cisco.com/public/sw-center/sw-usingswc.shtml"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/en/us/docs/general/warranty/english/eu1ken_.html,"
},
{
"trust": 0.1,
"url": "http://intellishield.cisco.com/security/alertmanager/cvss"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/content/webex-atp-and-wrf-overflow-vulnerabilities]"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com]."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2010-3270"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc]."
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com/"
},
{
"trust": 0.1,
"url": "http://www.webex.com/]"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com]."
},
{
"trust": 0.1,
"url": "http://secunia.com/"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com/index.php?module=wiki\u0026action=view\u0026type=project\u0026name=bugweek]"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/]"
},
{
"trust": 0.1,
"url": "http://lists.grok.org.uk/full-disclosure-charter.html"
},
{
"trust": 0.1,
"url": "http://www.webex.com/downloadplayer.html]."
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-0411"
},
{
"db": "VULHUB",
"id": "VHN-45874"
},
{
"db": "BID",
"id": "46075"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-003863"
},
{
"db": "PACKETSTORM",
"id": "98073"
},
{
"db": "PACKETSTORM",
"id": "98038"
},
{
"db": "NVD",
"id": "CVE-2010-3269"
},
{
"db": "CNNVD",
"id": "CNNVD-201102-032"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2011-0411"
},
{
"db": "VULHUB",
"id": "VHN-45874"
},
{
"db": "BID",
"id": "46075"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-003863"
},
{
"db": "PACKETSTORM",
"id": "98073"
},
{
"db": "PACKETSTORM",
"id": "98038"
},
{
"db": "NVD",
"id": "CVE-2010-3269"
},
{
"db": "CNNVD",
"id": "CNNVD-201102-032"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2011-02-01T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-0411"
},
{
"date": "2011-02-02T00:00:00",
"db": "VULHUB",
"id": "VHN-45874"
},
{
"date": "2011-01-31T00:00:00",
"db": "BID",
"id": "46075"
},
{
"date": "2012-03-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2011-003863"
},
{
"date": "2011-02-02T02:55:23",
"db": "PACKETSTORM",
"id": "98073"
},
{
"date": "2011-02-01T04:52:28",
"db": "PACKETSTORM",
"id": "98038"
},
{
"date": "2011-02-02T23:00:31.957000",
"db": "NVD",
"id": "CVE-2010-3269"
},
{
"date": "2011-02-09T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201102-032"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2011-02-01T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-0411"
},
{
"date": "2018-10-10T00:00:00",
"db": "VULHUB",
"id": "VHN-45874"
},
{
"date": "2011-02-01T16:20:00",
"db": "BID",
"id": "46075"
},
{
"date": "2012-03-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2011-003863"
},
{
"date": "2018-10-10T20:01:31.677000",
"db": "NVD",
"id": "CVE-2010-3269"
},
{
"date": "2011-02-12T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201102-032"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "98073"
},
{
"db": "CNNVD",
"id": "CNNVD-201102-032"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Cisco WRF and ARF Player T27LB Vulnerable to stack-based buffer overflow",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2011-003863"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer overflow",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201102-032"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.