A security researcher found a way an attacker could take advantage of the macOS version of Zoom to gain access to the entire operating system.
Details of the exploit were revealed in a presentation by Mac security specialist Patrick Wardle at the Def Con hacking conference in Las Vegas on Friday. Zoom has already fixed some of the bugs involved, but the researcher also filed an unpatched vulnerability that still affects systems now.
The exploit works by targeting the Zoom app installer, which must be run with special user permissions to install or remove the main Zoom app from a computer. Although the installer requires the user to enter their password when adding the app to the system for the first time, Wardle found that an automatic update feature was continually running in the background with root privileges.
When Zoom issued an update, the update function would install the new package after verifying that Zoom had cryptographically signed it. But a bug in the way the verification method was implemented meant that giving the updater any file with the same name as Zoom’s signing certificate would be enough to pass the test, so an attacker could substitute any kind of program. malware and have the updater run it with elevated privileges.
The result is a privilege escalation attack, which assumes that an attacker has already gained initial access to the target system and then employs an exploit to gain a higher level of access. In this case, the attacker starts with a restricted user account but escalates to a more powerful user type, known as a “super user” or “root”, allowing them to add, delete, or modify any file on the machine.
Wardle is the founder of the Objective-See Foundation, a nonprofit organization that creates open source security tools for macOS. Earlier at the Black Hat cybersecurity conference held the same week as Def Con, Wardle detailed the unauthorized use of algorithms extracted from its open source security software by for-profit companies.
Following responsible disclosure protocols, Wardle informed Zoom of the vulnerability in December of last year. To his frustration, he says that an early Zoom fix contained another bug that meant the vulnerability could still be exploited in a slightly more roundabout way, so he disclosed this second bug to Zoom and waited eight months before posting. the investigation.
“For me, that was a bit of a problem because I didn’t just report bugs to Zoom, I also reported bugs and how to fix the code,” Wardle said. the edge in a call before the talk. “So it was really frustrating to wait, what, six, seven, eight months, knowing that all the Mac versions of Zoom were on the vulnerable users’ computers.”
A few weeks before the Def Con event, Wardle says that Zoom issued a patch that fixed the bugs it had initially discovered. But on further analysis, another small bug meant that the bug was still exploitable.
In the new version of the update installer, the package to be installed is first moved to a directory owned by the “root” user. In general, this means that no user without root permission can add, delete or modify files in this directory. But due to a subtlety of Unix systems (of which macOS is one), when an existing file is moved from another location to the root directory, it retains the same read and write permissions it previously had. So in this case it can still be modified by a normal user. And because it can be modified, a malicious user can still swap the contents of that file with a file of their choosing and use it to become root.
While this bug is currently live on Zoom, Wardle says it’s very easy to fix and he hopes that talking about it publicly will “grease the wheels” for the company to deal with it sooner rather than later.
Zoom had not responded to a request for comment at the time of publication.
