Cisco WebEx Player Remote Code Execution

December 8, 2011

WebEx Communications Inc. is a Cisco company that provides on-demand collaboration, online meeting, web conferencing and videoconferencing applications. Its products include Meeting Center, Training Center, Event Center, Support Center, Sales Center, MeetMeNow, PCNow, WebEx AIM Pro Business Edition, WebEx WebOffice, WebEx Connect and WebEx Player.

Cisco WebEx uses the proprietary WRF file format (.wrf extension) to store WebEx meeting recordings on the computer of an on-line meeting attendee. The structure of this file is not publicly documented. Reverse-engineering has identified the following structure as a file header:

 Offset Size Field ----------------------------------------------------- 0x00 4 Magic number = 57 4f 54 46 (WOTF) 0x04 4 Unknown 0x08 4 File size in bytes 

After the header, there may be multiple records in the file. The records may have the following format:

 Offset Size Field -------------------------------------------------------------------------------- 0x00 1 Field Type 0x01 4 Size of the record 0x05 m unknown 0xXX 4 Datasize (n) 0xXX n Data 

A code execution vulnerability exists in Cisco WebEx Player ATA32.dll module. The vulnerable code trusts the date form the records of the WRF file, and uses them in determining the size and the offset in a source/destination buffer for a memcpy function call, and then overwrites the memory with the data from the file.

A remote unauthenticated attacker can exploit this vulnerability to inject and execute arbitrary code with the privileges of the currently logged on user. If code execution fails, the vulnerable application will terminate abnormally.

SonicWALL UTM team has researched this vulnerability and released the following IPS signature to detect the attacks based on this vulnerability:

  • 7202 Cisco WebEx Player Remote Code Execution

The vulnerability has been referred by CVE as CVE-2011-4004.