Blocklist WebEx add-ons with public remote-code execution vulnerability

RESOLVED FIXED

Status

()

Toolkit
Blocklisting
RESOLVED FIXED
4 months ago
4 months ago

People

(Reporter: dveditz, Assigned: jorgev)

Tracking

({sec-critical})

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 months ago
Tavis Ormandy just tweeted about a bug in the Chrome version of the WebEx Extension that allows RCE from any page that includes a magic string in its URL.

https://twitter.com/taviso/status/823642226093760512

The tweet links to the Project Zero bug which is now public and contains the script your page could need to include to execute shell commands on the client's machine. Searching DXR it appears we have at least 5 add-ons that contain this magic string. Have not searched to see if there are other WebEx add-ons that use a different Firefox-specific url but that would seem unlikely (if they're the same then they don't need to UA sniff to serve the right page).
(Reporter)

Comment 1

4 months ago
For those with access:
https://dxr.mozilla.org/addons/search?q=cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b
(Reporter)

Comment 2

4 months ago
in our repo I find

https://dxr.mozilla.org/addons/source/addons/735601/
 id:  ciscowebexstart1@cisco.com
 ver: 1.0.1

https://dxr.mozilla.org/addons/source/addons/735588
 id:  ciscowebexstart1@cisco.com
 ver: 1.0.0

https://dxr.mozilla.org/addons/source/addons/735573
 id:  ciscowebexstart_test@cisco.com
 ver: 1.0.0

https://dxr.mozilla.org/addons/source/addons/730787
 id:  ciscowebexstart@cisco.com
 ver: 1.0.1

https://dxr.mozilla.org/addons/source/addons/728001
 id:  ciscowebexgpc@cisco.com
 ver: 1.0.0
The first one looks like it is the Cisco WebEx Extension on AMO, judging by the id number thing.
  https://addons.mozilla.org/en-US/firefox/addon/cisco-webex-extension/?src=search
(Assignee)

Comment 4

4 months ago
Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i1522
Assignee: nobody → jorge
Status: NEW → RESOLVED
Last Resolved: 4 months ago
Resolution: --- → FIXED

Comment 5

4 months ago
Thanks for the quick turnaround.
You need to log in before you can comment on or make changes to this bug.