Re: WebEx Downloader Plug-in Multiple Vulnerabilities + rant

["Mark Litchfield" <mark@xxxxxxxxxxxxxxx>]

Was busy actually, spent some time with my kids b4 shooting off abroad.

Anyway - http://www.skype.com/security/SKYPE-SB-2005-002.txt

As it would turn out, Mark R's bug and my bug shared the same piece of code. 
So basically two different attack vectors were discovered, callto:// URI and 
using a VCARD.

Cheers

Mark
----- Original Message ----- 
From: "Mark Rowe" <mark.rowe@xxxxxxxxxxxxx>
To: bugtraq@xxxxxxxxxxxxxxxxx
Cc: <vulnwatch@xxxxxxxxxxxxx>; <sec-adv@xxxxxxxxxxx>
Sent: Friday, July 14, 2006 3:51 PM
Subject: Re: WebEx Downloader Plug-in Multiple Vulnerabilities + rant


> Hi all,
>
> I've spoken with Mark Litchfield this week and I just want to clarify
> that in no way did Skype divulge any information imparted to them to
> Pentest Limited or to our knowledge any one else regarding Mark's
> discoveries. It was purely coincidence that one of the vulnerabilities
> we reported to Skype was the same as discovered by Mark.
>
> I did ask Mark to post to this list to clear this up but I guess he is
> too busy.
>
> I like conspiracy theories as much as the next person but this
> definitely isn't an X-file :)
>
> Cheers,
> Mark.
>
> Mark Litchfield wrote:
>
> > All these vulnerabilities were reported to WebEx by NGS Software back on
> > the 24th February 2005 along with some other issues.
> >
> > The current Director of the X-Force new about these issues as at the
> > time of their discovery, he worked with NGS.
> >
> > Seeing as I'm the subject, here is another example whereby I found a bug
> > (in Skype) except Pentest-Limited were credited with it's discovery -
> > http://www.theregister.co.uk/2005/10/25/skype_vuln/  An extract from an
> > email below from Kurt Sauer (Security Operations / Skype Technologies),
> > shows that Mark Rowe of Pentest Ltd for some unknown reason had access
> > to my email sent to Kurt.
> >
> > In reviewing our mail archives, I see that you *DID* report the vuln (the
> > VCARD aspect) to us -- to ME, directly -- before Mark Rowe did.  However, 
> > I
> > (gulp) mishandled the e-mail.
> >
> > As you surmised, it appears that Mark Rowe read that mail and found 
> > another
> > instantiation of the same bug, namely the handling of the command-line
> > parameters.
> >
> > Completely my fault on that.  It will take one "push" cycle (typically 
> > less
> > than a day) to get a correction posted, but I will both correct our
> > announcement and also redistribute it with corrected attribution.
> >
> > I should have asked you to CC security@xxxxxxxxx on the actual vuln 
> > report,
> > because mail sent to that address is read by more than just me.
> >
> > Importantly, I am going to hire a dedicated incident manager (as fast as
> > our hiring practices will allow) so that there is someone spending full
> > workdays just handing inbound messages on this topic.
> >
> >
> > Could never be bothered before to make an issue of it.  But to sit on a
> > large number of flaws in a vendors software product for 498 days and see
> > other companies credited is a tad annoying :)
> >
> > All the best
> >
> > Mark Litchfield
> >
> > ----- Original Message ----- From: "David Litchfield" <>
> > To: "Mark Litchfield" <mark@xxxxxxxxxxxxxxx>
> > Sent: Friday, July 07, 2006 4:12 PM
> > Subject: Fw: [SA20956] WebEx Downloader Plug-in Multiple Vulnerabilities
> >
> >
> > > You're not credited - are any of these yours?
> > >
> > > ----- Original Message ----- From: "Secunia Security Advisories"
> > > <sec-adv@xxxxxxxxxxx>
> > > To: <>
> > > Sent: Friday, July 07, 2006 12:32 PM
> > > Subject: [SA20956] WebEx Downloader Plug-in Multiple Vulnerabilities
> > >
> > >
> > > > ----------------------------------------------------------------------
> > > >
> > > > Reverse Engineer Wanted
> > > >
> > > > Secunia offers a Security Specialist position with emphasis on
> > > > reverse engineering of software and exploit code, auditing of
> > > > source code, and analysis of vulnerability reports.
> > > >
> > > > http://secunia.com/secunia_security_specialist/
> > > >
> > > > ----------------------------------------------------------------------
> > > >
> > > > TITLE:
> > > > WebEx Downloader Plug-in Multiple Vulnerabilities
> > > >
> > > > SECUNIA ADVISORY ID:
> > > > SA20956
> > > >
> > > > VERIFY ADVISORY:
> > > > http://secunia.com/advisories/20956/
> > > >
> > > > CRITICAL:
> > > > Highly critical
> > > >
> > > > IMPACT:
> > > > System access
> > > >
> > > > WHERE:
> > > > From remote
> > > >
> > > > SOFTWARE:
> > > > WebEx Downloader plug-in 2.x
> > > > http://secunia.com/product/10916/
> > > >
> > > > DESCRIPTION:
> > > > Some vulnerabilities have been reported in WebEx Downloader plug-in,
> > > > which can be exploited by malicious people to compromise a user's
> > > > system.
> > > >
> > > > 1) An error exists in the ActiveX and Java versions of the WebEx
> > > > Downloader plug-in where the source of downloaded components is not
> > > > properly verified. This can be exploited to install malicious
> > > > components on a user's system.
> > > >
> > > > Successful exploitation allows execution of arbitrary code, but
> > > > requires that the user e.g. is tricked into visiting a malicious web
> > > > site.
> > > >
> > > > The vulnerability has been reported in version 2.0.0.7. Other
> > > > versions may also be affected.
> > > >
> > > > 2) Some unspecified boundary errors in an included ActiveX control
> > > > can be exploited to cause a buffer overflow.
> > > >
> > > > Successful exploitation may allow execution of arbitrary code.
> > > >
> > > > SOLUTION:
> > > > Apply update.
> > > > http://www.webex.com/go/downloadSP30
> > > >
> > > > PROVIDED AND/OR DISCOVERED BY:
> > > > 1) Discovered by an anonymous person and reported via ZDI.
> > > > 1-2) David Dewey and Mark Dowd, ISS X-Force.
> > > >
> > > > ORIGINAL ADVISORY:
> > > > WebEx Communications:
> > > > http://www.webex.com/lp/security/ActiveAdv.html?TrackID=123456
> > > >
> > > > Zero Day Initiative:
> > > > http://www.zerodayinitiative.com/advisories/ZDI-06-021.html
> > > >
> > > > ISS X-Force:
> > > > http://xforce.iss.net/xforce/alerts/id/226
> > > >
> > > > ----------------------------------------------------------------------
> > > >
> > > > About:
> > > > This Advisory was delivered by Secunia as a free service to help
> > > > everybody keeping their systems up to date against the latest
> > > > vulnerabilities.
> > > >
> > > > Subscribe:
> > > > http://secunia.com/secunia_security_advisories/
> > > >
> > > > Definitions: (Criticality, Where etc.)
> > > > http://secunia.com/about_secunia_advisories/
> > > >
> > > >
> > > > Please Note:
> > > > Secunia recommends that you verify all advisories you receive by
> > > > clicking the link.
> > > > Secunia NEVER sends attached files with advisories.
> > > > Secunia does not advise people to install third party patches, only
> > > > use those supplied by the vendor.
> > > >
> > > > ----------------------------------------------------------------------
> > > >
> > > > Unsubscribe: Secunia Security Advisories
> > > > http://secunia.com/sec_adv_unsubscribe/?email=davidl%40ngssoftware.com
> > > >
> > > > ----------------------------------------------------------------------
>
> --
> Mark Rowe
> IT Security Consultant
> Pentest Limited
>
> Office: +44 (0) 161 233 0100
> Fax:    +44 (0) 161 233 0990
> Mobile:    +44 (0) 7813 803 929
>
> http://www.pentest.co.uk/legal.shtml#emailpolicy
>
> - .... . .-. . / .. ... / -. --- / ... . -.-. ..- .-. .. - -.-- / --- -.
> / - .... .. ... / . .- .-. - .... / ..--.. / / --- -. .-.. -.-- / ---
> .--. .--. --- .-. - ..- -. .. - -.-- / ..--.. / / / -.. --- ..- --. .-..
> .- ... / -- .- -.-. .- .-. - .... ..- .-. /