A security sandbox built into the Chromium Embedded Framework, or CEF, would normally store the payload in a container that’s isolated from sensitive parts of the app. To work around this constraint, the researchers abused the window.CallCppFunction, which is designed to open files sent by other Cisco Jabber users. By manipulating a function parameter that accepts files, the researchers were able to break out of the sandbox. “Since Cisco Jabber supports file transfers, an attacker can initiate a file transfer containing a malicious .exe file and force the victim to accept it using an XSS attack,” researchers from security firm Watchcom Security wrote in a post. “The attacker can then trigger a call to window.CallCppFunction, causing the malicious file to be executed on the victim’s machine.” Accordingly, CVE-2020-3495, the designation assigned to the Cisco Jabber vulnerability, has a severity rating of 9.9 out of a maximum 10 based on the Common Vulnerability Scoring System. Cisco’s advisory has more details here.
Until Wednesday, a single text message sent through Cisco’s Jabber collaboration application was all it took to touch off a self-replicating attack that would spread malware from one Windows user to another, researchers who developed the exploit said. Ars Technica reports: The wormable attack was the result of several flaws, which Cisco patched on Wednesday, in the Chromium Embedded Framework that forms the foundation of the Jabber client. A filter that’s designed to block potentially malicious content in incoming messages failed to scrutinize code that invoked a programming interface known as “onanimationstart.” But even then, the filter still blocked content that contained , an HTML tag that had to be included in a malicious payload. To bypass that protection, the researchers used code that was tailored to a built-in animation component called spinner-grow. With that, the researchers were able to achieve a cross-site scripting exploit that injected a malicious payload directly into the internals of the browser built into Jabber.