For the third time now, Cisco has released a patch for their high-severity flaw in their Webex platform after a bypass was created for the last fix. The privilege escalation flaw (CVE-2019-1674) could give an attacker unauthenticated SYSTEM user privileges and run arbitrary commands. The flaw exists in the Webex Meetings Desktop app that is used in windows OS. Cisco attempted to release a patch in October and again in November, neither being successful in fixing this flaw. The vulnerability comes from the update service failing to validate “version numbers” of new files. This basically gives an attacker elevated privileges by invoking the update service command with a crafted argument and folder. To exploit the vulnerability, an attacker needs to be authenticated as well as local.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is