CVE-2018-15442
published 2018-10-24CVE-2018-15442: A vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows could allow an authenticated, local attacker to execute arbitrary…
PriorityP260high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
16.02%
96.5th percentile
A vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user. The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges. While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access, administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remote management tools.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | cisco_webex_event_center | — | — |
| cisco | webex_meetings_desktop | < 33.6.4 | 33.6.4 |
| cisco | webex_meetings_desktop_app_update_service | — | — |
| cisco | webex_productivity_tools | >= 32.6.0 < 33.0.6 | 33.0.6 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for 'sc start webexservice' commands with 'install software-update' arguments, which is the exploitation trigger for CVE-2018-15442. ↗
- →Alert on the 'webexservice' Windows service spawning child processes (especially cmd.exe or arbitrary executables), as it runs as SYSTEM and should not normally execute user-supplied binaries. ↗
- →Detect executable files written to %SystemRoot%\Temp or c:\Windows\Temp\ followed immediately by a 'sc start webexservice' invocation, indicating payload staging for this exploit. ↗
- →In Active Directory environments, monitor for remote invocation of webexservice via OS remote management tools (e.g., WMI, PsExec), as the vulnerability can be exploited remotely in such deployments. ↗
- →The SMB-based exploit module (WebExec) authenticates over SMB and uses any non-guest credential to execute commands via webexservice; monitor for SMB authentication followed by webexservice process creation from remote sessions. ↗
- ·The vulnerability can only be exploited if 'webexservice' is set to start automatically; if the service startup type is Manual or Disabled, exploitation is blocked unless the attacker has elevated permissions to change the service configuration. ↗
- ·UAC being enabled may produce false negatives when checking for writable folders during exploitation, potentially affecting payload delivery reliability. ↗
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vendor_cisco7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-766m-hqm4-2gcf: A vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows could allow an authenticated, local attacker to execute arbitrar
ghsa_unreviewed·2022-05-13
CVE-2018-15442 [HIGH] CWE-78 GHSA-766m-hqm4-2gcf: A vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows could allow an authenticated, local attacker to execute arbitrar
A vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user. The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges. While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access, administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remote management tools.
Cisco
Cisco Webex Meetings Desktop App Update Service Command Injection Vulnerability
vendor_cisco·2018-10-24·CVSS 7.8
CVE-2018-15442 [HIGH] CWE-78 Cisco Webex Meetings Desktop App Update Service Command Injection Vulnerability
Cisco Webex Meetings Desktop App Update Service Command Injection Vulnerability
A vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user.
The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges.
While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access, administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remot
Cisco
Cisco Webex Meetings Desktop App Update Service Command Injection Vulnerability
vendor_cisco·CVSS 3.0
CVE-2018-15442 Cisco Webex Meetings Desktop App Update Service Command Injection Vulnerability
CVE-2018-15442: Cisco Webex Meetings Desktop App Update Service Command Injection Vulnerability
A vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user. The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges. While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access, administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating
No detection rules found.
Exploit-DB
WebEx - Local Service Permissions Exploit (Metasploit)
exploitdb·2018-10-25
CVE-2018-15442 WebEx - Local Service Permissions Exploit (Metasploit)
WebEx - Local Service Permissions Exploit (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'WebEx Local Service Permissions Exploit',
'Description' => %q{
This module exploits a flaw in the 'webexservice' Windows service, which runs as SYSTEM,
can be used to run arbitrary commands locally, and can be started by limited users in
default installations.
},
'References' =>
[
['URL', 'https://webexec.org'],
['CVE', '2018-15442']
],
'DisclosureDate' => "Oct 09 2018",
'License' => MSF_LICENSE,
'Author' =>
[
'Jeff McJunkin '
],
'Platform' => [ 'win'],
'Targets' =>
[
[ 'Automatic', {} ],
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
[ 'Windows x64', { 'Arch' => ARCH_X64 }
Exploit-DB
WebExec - (Authenticated) User Code Execution (Metasploit)
exploitdb·2018-10-25
CVE-2018-15442 WebExec - (Authenticated) User Code Execution (Metasploit)
WebExec - (Authenticated) User Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
# Windows XP systems that are not part of a domain default to treating all
# network logons as if they were Guest. This prevents SMB relay attacks from
# gaining administrative access to these systems. This setting can be found
# under:
#
# Local Security Settings >
# Local Policies >
# Security Options >
# Network Access: Sharing and security model for local accounts
class MetasploitModule 'WebExec Authenticated User Code Execution',
'Description' => %q{
This module uses a valid username and password of any level (or
password hash) to execute an arbitrary payload. This module is similar
Metasploit
WebEx Local Service Permissions Exploit
metasploit
WebEx Local Service Permissions Exploit
WebEx Local Service Permissions Exploit
This module exploits a flaw in the 'webexservice' Windows service, which runs as SYSTEM, can be used to run arbitrary commands locally, and can be started by limited users in default installations.
Metasploit
WebExec Authenticated User Code Execution
metasploit
WebExec Authenticated User Code Execution
WebExec Authenticated User Code Execution
This module uses a valid username and password of any level (or password hash) to execute an arbitrary payload. This module is similar to the "psexec" module, except allows any non-guest account by default.
Metasploit
WebEx Remote Command Execution Utility
metasploit
WebEx Remote Command Execution Utility
WebEx Remote Command Execution Utility
This module enables the execution of a single command as System by exploiting a remote code execution vulnerability in Cisco's WebEx client software.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/105734http://www.securitytracker.com/id/1041942https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181024-webex-injectionhttps://www.exploit-db.com/exploits/45695/https://www.exploit-db.com/exploits/45696/http://www.securityfocus.com/bid/105734http://www.securitytracker.com/id/1041942https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181024-webex-injectionhttps://www.exploit-db.com/exploits/45695/https://www.exploit-db.com/exploits/45696/
2018-10-24
Published