Institute For Ethical Hacking Course and Ethical Hacking Training in Pune – India

Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

CVE-Numbers

  • DOS Vulnerability — Fixed in Client version 4.4.2 — CVE-REQUESTED
  • Information Disclosure (Webcam) — Unpatched — CVE-REQUESTED

Foreward

This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.

Yep, no joke.

Timeline

  • Mar 8, 2019 — Requested security contact via Twitter (no response).
  • Mar 26, 2019 — Contacted Zoom Inc via email with 90-day public disclosure deadline. Offered a “quick fix” solution.
  • Mar 27, 2019
    – Requested confirmation of reception.
    – Informed that Zoom Security Engineer was Out of Office.
    – Offered and declined a financial bounty for the report due to policy on not being able to publicly disclose even after the vulnerability was patched.
  • Apr 1, 2019 — Requested confirmation of vulnerability.
  • Apr 5, 2019 — Response from Zoom Security Engineer confirming and discussing severity. Settled on CVSSv3 score of 5.2/10.
  • Apr 10, 2019 — Vulnerability disclosed to Chromium security team.
  • Apr 18, 2019 — Updated Zoom with the suggestion from Chromium team.
  • Apr 19, 2019 — Vulnerability disclosed to Mozilla FireFox security team.
  • Apr 26, 2019 — Video call with Mozilla and Zoom Security Teams
    Disclosed details of impending DNS expiration.
  • June 7, 2019 —Email from Zoom about a video call to discuss fix.
  • June 11, 2019 — Video call with Zoom Security team about impending disclosure. Discussed how Zoom’s planned patch was incomplete.
  • June 20, 2019 — Contacted about having another video call with Zoom Security Team. Declined by me due to calendar conflicts.
  • June 21, 2019 — Zoom reports vulnerability was fixed.
  • June 24, 2019 — 90-day public disclosure deadline ends. Vulnerability confirmed fixed with ‘quick fix’ solution.
  • July 7, 2019 — Regression in the fix causes the video camera vulnerability to work again.
  • July 8, 2019
    – Regression fixed.
    – Workaround discovered & disclosed.
    – Public Disclosure.

Details

On Mac, if you have ever installed Zoom, there is a web server on your local machine running on port 19421. You can confirm this server is present by running lsof -i :19421 in your terminal.

Here’s the code on the Zoom site that tipped me off to this localhost server.

Browser console logs when visiting https://zoom.us/j/492468757

The two numbers are the pixel dimensions of the image returned by the web server.

The Video Call Vulnerability

I created a personal meeting with a different account and cracked open Postman and started to remove parameters to see what the minimal GET request was that was required to launch a Zoom meeting.

  • confno=[whatever the conference number is]

The above-described behavior continues to work to this day! You can still use this exploit to launch someone into a call without their permission.



You can choose to enable a participant’s video camera when they join the call.

When responding to responsible disclosure, don’t go into PR spin mode. It’s counterproductive.

The Denial Of Service (DOS) Vulnerability

This same vulnerability also allowed the attacker to DOS any user’s machine. By simply sending repeated GET requests for a bad number, Zoom app would constantly request ‘focus’ from the OS. The following simple POC demonstrated this vulnerability.

The Install Vulnerability

If you have ever installed Zoom on your computer, this web server is installed. It continues to run if you uninstall Zoom from your computer.

Takes arguments from some API request and uses it to craft a download URL used to upgrade the version of Zoom installed?
Ensures the download URL is only under ‘trusted’ subdomains.
  1. Open the Zoom client, then shut it down.
  2. Uninstall the Zoom client from your computer by dragging the Applications/zoom.us.app file to the trash.
  3. Open any Zoom join link and Zoom will ‘helpfully’ be re-installed for you in the Applications folder and will be launched by this web server.
You can clearly see the URL to be used to download the zoom installer if Zoom needs to be re-installed.

Fundamental Security Vulnerability

In my opinion, websites should not be talking to Desktop applications like this. There is a fundamental sandbox that browsers are supposed to enforce to prevent malicious code from being executed on users machines.

All localhost request from Javascript are forbidden by browsers.

Zoom’s Proposed Fixes

The fix proposed by the Zoom team was to digitally ‘sign’ the request made to the client. However, this simply means that an attacker would have to have a backend server that makes requests to the Zoom site first to gain a valid signature before forwarding the signature on to the client.

Conclusion

As of 2015 Zoom had over 40 million users. Given that Macs are 10% of the PC market and Zoom has had significant growth since 2015 we can assume that at least 4 million of Zoom’s users are on Mac. Tools like Zoom, Google Meet or Skype for Business is a staple of today’s modern office.

Consequences

This is essentially a Zero Day. Unfortunately, Zoom has not fixed this vulnerability in the allotted 90-day disclosure window I gave them, as is the industry standard. As such, the 4+ million users of Zoom on Mac are now vulnerable to an invasion of their privacy by using this service.

Patch Yourself

If you want to patch this vulnerability for yourself you can do the following.
Disable the ability for Zoom to turn on your webcam when joining a meeting.

Instead of using the UI for the application to disable this, you can also use the terminal.

Notes For Researchers

Given the massive install base for Zoom, I highly recommend that other researchers take the time to explore this Zoom web server to see what other vulnerabilities exist. This being said, I also recommend that any researcher that finds a vulnerability in Zoom’s software does not directly report the vulnerability to Zoom. Instead, I recommend that researchers report these vulnerabilities via the Zero Day Initiative (ZDI). The ZDI disclosure program gives vendors 120 days to resolve the vulnerability, the ZDI will pay researchers for their work, and researchers have the ability to publicly disclose their findings.

www.extremehacking.org

Sadik Shaikh | Cyber Suraksha Abhiyan, Ethical Hacking Training Institute, CEHv10,CHFI,ECSAv10,CAST,ENSA, CCNA, CCNA SECURITY,MCITP,RHCE,CHECKPOINT, ASA FIREWALL,VMWARE,CLOUD,ANDROID,IPHONE,NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking,Center For Advanced Security Training in India, ceh v10 course in Pune-India, ceh certification in pune-India, ceh v10 training in Pune-India, Ethical Hacking Course in Pune-India