Cisco Talos experts found two more critical vulnerabilities in the Zoom application. Due to these problems, a remote attacker could infiltrate the system of any of the participants in a group call.
Both problems found were path traversal type bugs, and they could be used to inject arbitrary files into vulnerable systems with the subsequent execution of malicious code.“What is worse, the exploitation of these problems required very limited interaction with chat users, for example, it was enough to send a specially created message to a specific person or group”, – say the researchers.
The first vulnerability (CVE-2020-6109) is explained by the fact that Zoom uses the Giphy service, recently acquired by Facebook, so that users can search and share animated GIFs in the chat. As it turned out, Zoom does not check whether GIF is downloaded from Giphy servers or not, so, an attacker could embed GIF files from a third-party server in messages that Zoom caches and saves by default in the user’s system in the folder associated with the application.
Since at the same time the application did not properly clean up file names, attackers could bypass the directory by tricking Zoom into saving malicious files masked as GIFs anywhere in the victim’s system, for example, in the startup folder.
The second vulnerability is related to remote code execution (CVE-2020-6110). The problem was in the way Zoom handles the code snippets transmitted in the chat.
“Zoom chat functionality is based on the classic XMPP with additional extensions to support enhanced user experience. One of these extensions supports the function of inserting snippets into the chat with code, which get full support for syntax highlighting. If you need to install an additional plugin to send code fragments, it can be easily received. This function is implemented as an extension for file sharing”, — say the researchers.
Essentially, this function creates a ZIP archive with a snippet of code before sending, and then automatically unpacks it in the recipient’s system. At the same time, while zipping files, ZIP Zoom does not pre-check the contents of the archive, which theoretically allows an attacker to embed an arbitrary binary on the target computer.
Moreover, it has already been said above that both vulnerabilities are of type path traversal. So, the second bug also allowed not only to deliver a malicious archive to the target machine, but also to write files outside of a randomly generated directory.
Cisco Talos experts report that Zoom developers have fixed both critical vulnerabilities with the release of version 4.6.12.
Recall that due to flagrant security problems, companies such as SpaceX and NASA, as well as Google, have banned their employees from using Zoom. Soon Governments of Australia, Taiwan and India banned using Zoom.
User Review
( vote)
