[VulnWatch] Re: WebEx Downloader Plug-in Multiple Vulnerabilities + rant

From: Mark Litchfield (mark@private)
Date: Mon Jul 17 2006 - 04:52:55 PDT


Was busy actually, spent some time with my kids b4 shooting off abroad.

Anyway - http://www.skype.com/security/SKYPE-SB-2005-002.txt

As it would turn out, Mark R's bug and my bug shared the same piece of code. 
So basically two different attack vectors were discovered, callto:// URI and 
using a VCARD.

Cheers

Mark
----- Original Message ----- 
From: "Mark Rowe" <mark.rowe@private>
To: bugtraq@private
Cc: <vulnwatch@private>; <sec-adv@private>
Sent: Friday, July 14, 2006 3:51 PM
Subject: Re: WebEx Downloader Plug-in Multiple Vulnerabilities + rant


> Hi all,
>
> I've spoken with Mark Litchfield this week and I just want to clarify
> that in no way did Skype divulge any information imparted to them to
> Pentest Limited or to our knowledge any one else regarding Mark's
> discoveries. It was purely coincidence that one of the vulnerabilities
> we reported to Skype was the same as discovered by Mark.
>
> I did ask Mark to post to this list to clear this up but I guess he is
> too busy.
>
> I like conspiracy theories as much as the next person but this
> definitely isn't an X-file :)
>
> Cheers,
> Mark.
>
> Mark Litchfield wrote:
>
>> All these vulnerabilities were reported to WebEx by NGS Software back on
>> the 24th February 2005 along with some other issues.
>>
>> The current Director of the X-Force new about these issues as at the
>> time of their discovery, he worked with NGS.
>>
>> Seeing as I'm the subject, here is another example whereby I found a bug
>> (in Skype) except Pentest-Limited were credited with it's discovery -
>> http://www.theregister.co.uk/2005/10/25/skype_vuln/  An extract from an
>> email below from Kurt Sauer (Security Operations / Skype Technologies),
>> shows that Mark Rowe of Pentest Ltd for some unknown reason had access
>> to my email sent to Kurt.
>>
>> In reviewing our mail archives, I see that you *DID* report the vuln (the
>> VCARD aspect) to us -- to ME, directly -- before Mark Rowe did.  However, 
>> I
>> (gulp) mishandled the e-mail.
>>
>> As you surmised, it appears that Mark Rowe read that mail and found 
>> another
>> instantiation of the same bug, namely the handling of the command-line
>> parameters.
>>
>> Completely my fault on that.  It will take one "push" cycle (typically 
>> less
>> than a day) to get a correction posted, but I will both correct our
>> announcement and also redistribute it with corrected attribution.
>>
>> I should have asked you to CC security@private on the actual vuln 
>> report,
>> because mail sent to that address is read by more than just me.
>>
>> Importantly, I am going to hire a dedicated incident manager (as fast as
>> our hiring practices will allow) so that there is someone spending full
>> workdays just handing inbound messages on this topic.
>>
>>
>> Could never be bothered before to make an issue of it.  But to sit on a
>> large number of flaws in a vendors software product for 498 days and see
>> other companies credited is a tad annoying :)
>>
>> All the best
>>
>> Mark Litchfield
>>
>> ----- Original Message ----- From: "David Litchfield" <>
>> To: "Mark Litchfield" <mark@private>
>> Sent: Friday, July 07, 2006 4:12 PM
>> Subject: Fw: [SA20956] WebEx Downloader Plug-in Multiple Vulnerabilities
>>
>>
>>> You're not credited - are any of these yours?
>>>
>>> ----- Original Message ----- From: "Secunia Security Advisories"
>>> <sec-adv@private>
>>> To: <>
>>> Sent: Friday, July 07, 2006 12:32 PM
>>> Subject: [SA20956] WebEx Downloader Plug-in Multiple Vulnerabilities
>>>
>>>
>>>>
>>>> ----------------------------------------------------------------------
>>>>
>>>> Reverse Engineer Wanted
>>>>
>>>> Secunia offers a Security Specialist position with emphasis on
>>>> reverse engineering of software and exploit code, auditing of
>>>> source code, and analysis of vulnerability reports.
>>>>
>>>> http://secunia.com/secunia_security_specialist/
>>>>
>>>> ----------------------------------------------------------------------
>>>>
>>>> TITLE:
>>>> WebEx Downloader Plug-in Multiple Vulnerabilities
>>>>
>>>> SECUNIA ADVISORY ID:
>>>> SA20956
>>>>
>>>> VERIFY ADVISORY:
>>>> http://secunia.com/advisories/20956/
>>>>
>>>> CRITICAL:
>>>> Highly critical
>>>>
>>>> IMPACT:
>>>> System access
>>>>
>>>> WHERE:
>>>> From remote
>>>>
>>>> SOFTWARE:
>>>> WebEx Downloader plug-in 2.x
>>>> http://secunia.com/product/10916/
>>>>
>>>> DESCRIPTION:
>>>> Some vulnerabilities have been reported in WebEx Downloader plug-in,
>>>> which can be exploited by malicious people to compromise a user's
>>>> system.
>>>>
>>>> 1) An error exists in the ActiveX and Java versions of the WebEx
>>>> Downloader plug-in where the source of downloaded components is not
>>>> properly verified. This can be exploited to install malicious
>>>> components on a user's system.
>>>>
>>>> Successful exploitation allows execution of arbitrary code, but
>>>> requires that the user e.g. is tricked into visiting a malicious web
>>>> site.
>>>>
>>>> The vulnerability has been reported in version 2.0.0.7. Other
>>>> versions may also be affected.
>>>>
>>>> 2) Some unspecified boundary errors in an included ActiveX control
>>>> can be exploited to cause a buffer overflow.
>>>>
>>>> Successful exploitation may allow execution of arbitrary code.
>>>>
>>>> SOLUTION:
>>>> Apply update.
>>>> http://www.webex.com/go/downloadSP30
>>>>
>>>> PROVIDED AND/OR DISCOVERED BY:
>>>> 1) Discovered by an anonymous person and reported via ZDI.
>>>> 1-2) David Dewey and Mark Dowd, ISS X-Force.
>>>>
>>>> ORIGINAL ADVISORY:
>>>> WebEx Communications:
>>>> http://www.webex.com/lp/security/ActiveAdv.html?TrackID=123456
>>>>
>>>> Zero Day Initiative:
>>>> http://www.zerodayinitiative.com/advisories/ZDI-06-021.html
>>>>
>>>> ISS X-Force:
>>>> http://xforce.iss.net/xforce/alerts/id/226
>>>>
>>>> ----------------------------------------------------------------------
>>>>
>>>> About:
>>>> This Advisory was delivered by Secunia as a free service to help
>>>> everybody keeping their systems up to date against the latest
>>>> vulnerabilities.
>>>>
>>>> Subscribe:
>>>> http://secunia.com/secunia_security_advisories/
>>>>
>>>> Definitions: (Criticality, Where etc.)
>>>> http://secunia.com/about_secunia_advisories/
>>>>
>>>>
>>>> Please Note:
>>>> Secunia recommends that you verify all advisories you receive by
>>>> clicking the link.
>>>> Secunia NEVER sends attached files with advisories.
>>>> Secunia does not advise people to install third party patches, only
>>>> use those supplied by the vendor.
>>>>
>>>> ----------------------------------------------------------------------
>>>>
>>>> Unsubscribe: Secunia Security Advisories
>>>> http://secunia.com/sec_adv_unsubscribe/?email=davidl%40ngssoftware.com
>>>>
>>>> ----------------------------------------------------------------------
>>>>
>>>
>>>
>>
>>
>
> -- 
> Mark Rowe
> IT Security Consultant
> Pentest Limited
>
> Office: +44 (0) 161 233 0100
> Fax:    +44 (0) 161 233 0990
> Mobile:    +44 (0) 7813 803 929
>
> http://www.pentest.co.uk/legal.shtml#emailpolicy
>
> - .... . .-. . / .. ... / -. --- / ... . -.-. ..- .-. .. - -.-- / --- -.
> / - .... .. ... / . .- .-. - .... / ..--.. / / --- -. .-.. -.-- / ---
> .--. .--. --- .-. - ..- -. .. - -.-- / ..--.. / / / -.. --- ..- --. .-..
> .- ... / -- .- -.-. .- .-. - .... ..- .-. /
>
> 



This archive was generated by hypermail 2.1.3 : Wed Jul 19 2006 - 18:13:13 PDT