Watchcom Security Group uncovers Cisco Jabber vulnerabilities

All vulnerabilities have been responsibly disclosed to Cisco and patches are available. If you or your organization are using Cisco Jabber, update now!

Figure 1: The Jabber RCE vulnerability in action.

Security consultants from Watchcom discovered the four high severity vulnerabilities while pen-testing for a client. The vulnerabilities affect all currently supported versions of the Cisco Jabber client (12.1 – 12.9). The four vulnerabilities and their corresponding CVE numbers are listed below:

• CVE-2020-3495: Cisco Jabber Message Handling Arbitrary Code Execution (CVSS 9.9)
• CVE-2020-3430: Cisco Jabber Protocol Handler Command Injection (CVSS 8.0)
• CVE-2020-3498: Cisco Jabber Information Disclosure (CVSS 6.5)
• CVE-2020-3537: Cisco Jabber Universal Naming Convention Link Handling (CVSS 5.7)

This article describes the technical details of the vulnerabilities and gives useful advice for detection and mitigation.

Introduction

Cisco Jabber is a video conferencing and instant messaging application. It is mainly used for internal communication, but can also be used to chat, call or conduct meetings with people outside of the organization. These days a lot of people are working from home and applications like Cisco Jabber are essential to stay connected, communicate efficiently and keep businesses running smoothly.

Given their newfound prevalence in organizations of all sizes, these applications are becoming an increasingly attractive target for attackers. A lot of sensitive information is shared through video calls or instant messages and the applications are used by the majority of employees, including those with privileged access to other IT-systems.

The security of these applications is therefore paramount, and it is important to ensure that both the applications themselves, and the infrastructure they are using, are regularly audited for security gaps.

During a recent penetration test for an unrelated client, security consultants Olav Sortland Thoresen and Torjus Bryne Retterstøl from Watchcom discovered four serious vulnerabilities in Cisco Jabber. The vulnerabilities range from medium to critical severity and two of the vulnerabilities can be used to gain remote code execution. The most severe vulnerability is also wormable, meaning that it can be used to automatically spread malware without any user interaction.

Watchcom immediately reported these vulnerabilities to Cisco and coordinated a responsible disclosure. Patches have been issued and all Cisco Jabber users are strongly encouraged to update to the latest version.

Background

All four vulnerabilities affect the Cisco Jabber client application and were tested on Windows. The Cisco Jabber client is based on the Chromium Embedded Framework (CEF) and uses the Extensible Messaging and Presence Protocol (XMPP) for instant messages and presence updates. These two technologies are important for understanding the vulnerabilities and their implications. A brief overview of each of them is therefore provided below.

Chromium Embedded Framework (CEF)

CEF is a framework that allows developers to embed Chromium-based web browsers in their applications. It is used to create desktop applications based on web technologies like HTML, CSS and JavaScript. Normally, the code running in the embedded web browser is sandboxed and cannot access files or perform system calls. While this is a good security measure, application developers often want such functionality in their application and therefore find or create ways to bypass the sandbox.

This leaves applications vulnerable in scenarios where the sandbox normally would’ve provided protection.

Additionally, many applications that use CEF choose to pass through command line flags to the embedded web browser. This means that many CEF applications accept Chromium command line flags. Some of these flags can be used to execute arbitrary commands or load arbitrary DLLs and should therefore be treated with caution.

Extensible Messaging and Presence Protocol (XMPP)

XMPP is an XML-based protocol for instant messaging and presence. It is based on an open standard and is widely used in both open-source and proprietary software. XMPP is an extensible protocol and several extensions that provide additional functionality to the protocol exist.

Figure 2: An XMPP message containing both a plaintext and an HTML version of a message.

One of these extensions is XEP-0071: XHTML-IM. This extension defines how instant messages containing HTML formatted content can be exchanged over XMPP. Since HTML content can contain malicious elements, the specification states that applications must assume that messages containing HTML are malicious and sanitize them accordingly.

It also states that it must be possible for users to prevent automatic loading of images. Not all applications take such precautions and we will later see how this is the root cause of two of the vulnerabilities that we discovered.

Cross Site Scripting Leading to RCE Vulnerability

Cisco Jabber is vulnerable to Cross Site Scripting (XSS) through XHTML-IM messages. The application does not properly sanitize incoming HTML messages and instead passes them through a flawed XSS filter.

The filter is based on a blacklist of known-bad tags and attributes, but it is not comprehensive. Since the application is based on CEF, its embedded web browser will execute any scripts that can pass through the filter.

We discovered that the filter could be bypassed using the lesser-known onanimationstart attribute. Tags that had this attribute were not caught by the filter and were directly inserted into the embedded web browser’s DOM. This attribute is used to specify a JavaScript function that will be called when an element’s CSS animation starts playing. To achieve XSS using this attribute the element must have an animation assigned to it. It was not possible to inject custom CSS animations since <style> tags were caught by the filter, but we discovered a built-in animation called spinner-grow by grepping through the files in the installation directory. By combining these two, it was possible to create malicious HTML tags that bypassed the filter and were executed.

Figure 3: An XHTML-IM message that has been intercepted and modified. A malicious <img> tag has been added.

Cisco Jabber uses XHTML-IM by default for all messages. A malicious message can therefore easily be created by intercepting an XMPP message sent by the application and modifying it. Attackers can do this manually on their own machine or it can be automated to create a worm that spreads automatically.

Figure 4: When the victim receives the message, the JavaScript code is executed. In this case the code opens an alert box as a proof of concept.

After achieving XSS, we started looking for ways to escape the CEF sandbox. A vulnerable function (named window.CallCppFunction) was identified. This function is used to invoke native C++ code and the application uses it to, among other things, open files received from other Cisco Jabber users.

We discovered that this function can be abused by an attacker to run arbitrary executable files on the victim’s machine. The function takes a file:// URL as its second parameter and by manipulating this parameter an attacker can execute arbitrary .exe files.

Since Cisco Jabber supports file transfers, an attacker can initiate a file transfer containing a malicious .exe file and force the victim to accept it using an XSS attack.

The attacker can then trigger a call to window.CallCppFunction, causing the malicious file to be executed on the victim´s machine.

Figure 5: An XHTML-IM message containing exploit code that escapes the CEF sandbox and launches calc.exe on the victim’s machine.

This vulnerability has been assigned CVE-2020-3495 with a CVSS score of 9.9 (Critical) / CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Protocol Handler Vulnerability

While researching the XSS vulnerability, we discovered another high severity vulnerability concerning the handling of URLs with custom protocols.

Upon installation, Cisco Jabber registers protocol handlers for a number of different protocols. These are used to tell the operating system that whenever a user clicks on a URL containing one of the custom protocols (e.g. ciscoim:test@example.com) the URL should be passed to Cisco Jabber. In this case, the protocol handlers specify that the URL should be passed as a command line flag.

Figure 6: One of Cisco Jabber’s protocol handlers. The protocol handler specifies that URLs should be passed to the application as a command line flag.

These protocol handlers are vulnerable to command injection because they fail to consider URLs that contain spaces. By including a space in the URL, an attacker can inject arbitrary command line flags that will be passed to the application. Since the application uses CEF and accepts Chromium command line flags, several flags that can be used to execute arbitrary commands or load arbitrary DLLs exist. An example of such a flag is --GPU-launcher. This flag specifies a command that will be executed when CEFs GPU process is started.

This vulnerability can be combined with the XSS vulnerability to achieve code execution without transferring any files to the victim. This makes it possible to deliver malware without writing any files to disk, thus bypassing most antivirus software.

The video below shows the vulnerability being exploited. The attacker sends a malicious message, containing an XSS payload that escapes the CEF sandbox and uses the protocol handler vulnerability to execute commands on the victim’s computer.

Click here for a demo of the exploit.

This vulnerability was assigned CVE-2020-3430 with a CVSS score of 8.0 (High) / CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Sensitive Data Disclosure Vulnerabilities

Two additional vulnerabilities were also discovered. These do not allow remote code execution but can be exploited to collect NTLM password hashes from unsuspecting users. The first vulnerability exists because Cisco Jabber makes links to SMB file shares clickable.

If a user clicks such a link and the link points to a file share that requires authentication, the users NTLM password hash will be sent to the share. The user is not shown a warning when clicking the link and thus remains unaware that their password hash has been sent.

An attacker can exploit this by setting up a malicious file share that captures all incoming NTLM password hashes. The attacker can then send phishing messages over Cisco Jabber that trick users into clicking a link to their malicious share.

The second vulnerability is similar but does not require user interaction to be exploited and is invisible to the targeted user(s). Instead of sending a link and hoping that the victim will click it, an attacker can send an <img> tag with the src attribute pointing to their malicious file share. The Cisco Jabber client will automatically try to load the linked image file. If the image resides on an SMB file share that requires authentication, the users NTLM password hash will be sent.

An attacker can exploit this by sending a seemingly unharmful message that contains an invisible <img> tag.

Such a message can be sent directly to a targeted user or to many users at once in a group chat.

These vulnerabilities have been assigned CVE-2020-3537 and CVE-2020-3498. They have been given CVSS scores of 5.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N) and 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) respectively.

Mitigation

The most important mitigation of these issues is to update to the latest version of Cisco Jabber.

Organizations that have deployed Cisco Jabber should make sure that all users are informed about and required to install the update before continuing normal operations.

The list below presents the Cisco Jabber Release with the corresponding "First Fixed Release":

• 12.1 - 12.1.3
• 12.5 - 12.5.2
• 12.6 - 12.6.3
• 12.7 . 12.7.2
• 12.8 - 12.8.3
• 12.9 - 12.9.1

Since some of the vulnerabilities are wormable, organizations should consider disabling communication with external organizations through Cisco Jabber until all employees have installed the update. This can be done by disabling XMPP federation or configuring a policy for XMPP federation. See article from Cisco for more information.

Blue teams that want to detect potential exploitation of these vulnerabilities should be aware of the following indicators:

• XMPP messages with unusual HTML content.
• Invocations of CiscoJabber.exe with unusual flags.
• Unusual sub-processes of CiscoJabber.exe.
• Malicious files being sent through Cisco Jabber’s file sharing feature.

Cisco has published security advisories for each of the vulnerabilities. See the following links for their recommendations: CVE-2020-3495, CVE-2020-3430, CVE-2020-3537 & CVE-2020-3498.

Conclusions

These vulnerabilities serve as a reminder that all IT-systems pose a risk. This risk should not only be considered when developing custom applications, but also when acquiring software from outside vendors. With the increased reliance on video conferencing to facilitate remote work, an increase in risk posed by these types of applications follow.

Organizations should therefore review their security measures and patching routines surrounding these applications. They should also make sure that the applications and their configurations are regularly audited for security issues.

For developers, one takeaway is that extra care should be taken when developing desktop applications. Many modern desktop applications are created using web technology. This can lead to a false sense of security where developers think their applications are protected in the same way they would be while running in a web browser.

This is not true in most cases, either because security measures are disabled or circumvented to enable “native” functionality or because the framework in use provides unsafe functions.

Timeline

• 17th June 2020: First three vulnerabilities discovered.
• 18th June 2020: Vulnerabilities reported to Cisco PSIRT. Case number assigned by Cisco.
• 22nd June 2020: Issue forwarded to the Cisco Jabber engineering team.
• 24th June 2020: Vulnerabilities confirmed by Cisco. Disclosure date agreed on.
• 10th July 2020: Fourth vulnerability discovered and reported to Cisco.
• 24th June – 2nd September 2020: Patches developed.
• 2nd September 2020: Patches released. Vulnerabilities publicly disclosed.