Until Wednesday, a single text message sent through Cisco’s Jabber collaboration application was all it took to touch off a self-replicating attack that would spread malware from one Windows user to another, researchers who developed the exploit said.
The wormable attack was the result of several flaws, which Cisco patched on Wednesday, in the Chromium Embedded Framework that forms the foundation of the Jabber client. A filter that’s designed to block potentially malicious content in incoming messages failed to scrutinize code that invoked a programming interface known as “onanimationstart.”
Jumping through hoops
But even then, the filter still blocked content that contained <style>, an HTML tag that had to be included in a malicious payload. To bypass that protection, the researchers used code that was tailored to a built-in animation component called spinner-grow. With that, the researchers were able to achieve a cross-site scripting exploit that injected a malicious payload directly into the internals of the browser built into Jabber.
A security sandbox built into the Chromium Embedded Framework, or CEF, would normally store the payload in a container that’s isolated from sensitive parts of the app. To work around this constraint, the researchers abused the window.CallCppFunction, which is designed to open files sent by other Cisco Jabber users. By manipulating a function parameter that accepts files, the researchers were able to break out of the sandbox.
“Since Cisco Jabber supports file transfers, an attacker can initiate a file transfer containing a malicious .exe file and force the victim to accept it using an XSS attack,” researchers from security firm Watchcom Security wrote in a post. “The attacker can then trigger a call to window.CallCppFunction, causing the malicious file to be executed on the victim’s machine.”
Computer worms are among the most potent types of malware attack because a single strike can touch off a chain of follow-on damage, in much the way toppling a domino causes thousands of dominos behind it to fall. When the wormable attack achieves remote code execution—as is the case here—worms are the most severe. Fixes from Cisco come as more businesses are relying on video conferencing to conduct everyday work.
Accordingly, CVE-2020-3495, the designation assigned to the Cisco Jabber vulnerability, has a severity rating of 9.9 out of a maximum 10 based on the Common Vulnerability Scoring System. Cisco’s advisory has more details here.
More code execution
The Watchcom researchers devised a separate code-execution attack that exploited a different vulnerability. That one worked by abusing Cisco Jabber protocol handlers, which help the operating system know what to do when a user clicks on a URL containing a Jabber-specific protocol.
The researchers explained:
These protocol handlers are vulnerable to command injection because they fail to consider URLs that contain spaces. By including a space in the URL, an attacker can inject arbitrary command line flags that will be passed to the application. Since the application uses CEF and accepts Chromium command line flags, several flags that can be used to execute arbitrary commands or load arbitrary DLLs exist. An example of such a flag is –GPU-launcher. This flag specifies a command that will be executed when CEFs GPU process is started.
This vulnerability can be combined with the XSS vulnerability to achieve code execution without transferring any files to the victim. This makes it possible to deliver malware without writing any files to disk, thus bypassing most antivirus software.
The video below demonstrates the proof-of-concept exploit they developed.
CVE-2020-3430 carries a severity score of 8.8.
The vulnerabilities affect Cisco Jabber for Windows versions 12.1 through 12.9.1. People using vulnerable versions should update as soon as possible.