Advertisement
A security researcher found a way an attacker could use the macOS version of Zoom to gain access to the entire operating system.
Details of the exploit were revealed in a presentation given by Mac security specialist Patrick Wardle at the Def Con hacking conference in Las Vegas on Friday. Some of the affected bugs have already been fixed by Zoom, but the researcher also presented an unpatched vulnerability that is still affecting systems.
The exploit works by targeting the Zoom application installer, which must be run with special user privileges in order to install or remove the main Zoom application on a computer. Although the installer prompts a user to enter their password when they first add the application to the system, Wardle found that an auto-update feature then ran constantly in the background with superuser privileges.
When Zoom released an update, the updater function installed the new package after verifying that it was cryptographically signed by Zoom. But a flaw in the implementation of the verification method meant that giving the updater any file with the same name as Zoom’s signing certificate would be enough to pass the test – so an attacker could replace and run any type of malware Elevated updater.
The result is a privilege escalation attack that assumes an attacker has already gained initial access to the target system and then uses an exploit to gain a higher level of access. In this case, the attacker starts with a limited user account, but escalates to the most powerful user type – known as “superuser” or “root” – and allows them to add, remove, or modify any files on the computer.
Wardle is the founder of the Objective-See Foundation, a nonprofit organization that develops open-source security tools for macOS. Earlier, at the Black Hat cybersecurity conference held the same week as Def Con, Wardle detailed the unauthorized use of algorithms that were removed from his open-source security software by for-profit companies.
In accordance with responsible disclosure protocols, Wardle notified Zoom of the vulnerability in December last year. To his frustration, he says that a first fix from Zoom contained a different bug that meant the vulnerability could still be exploited in a slightly more awkward way, so he reported this second bug to Zoom and waited eight months before sharing the research results published.
“It was kind of problematic for me because not only was I reporting the bugs to Zoom, I was also reporting bugs and how to fix the code,” Wardle said The edge in a pre-conversation call. “So it was really frustrating to wait, what, six, seven, eight months knowing that all Mac versions of Zoom were vulnerable on users’ computers.”
According to Wardle, a few weeks before the Def Con event, Zoom released a patch that fixes the bugs it originally discovered. But upon closer analysis, another small bug meant the flaw was still exploitable.
In the new version of the update installer, a package to be installed is first moved to a directory that belongs to the “root” user. In general, this means that no non-root user can add, remove, or modify files in this directory. But due to a subtlety of Unix systems (of which macOS is a part), if an existing file is moved from another location to the root directory, it retains the same read and write permissions it had before. So in this case it can still be changed by a normal user. And because it can be modified, a malicious user can still swap out the contents of this file with a file of their choice and use it to gain root.
While this bug is currently live on Zoom, Wardle says it’s very easy to fix and that he hopes public speaking about it “greases the wheels” so the company takes care of it sooner rather than later.
In a statement to The edgeMatt Nagel, PR director for security and privacy at Zoom, said: “We are aware of the newly reported vulnerability in the Zoom automatic updater for macOS and are working diligently to fix it.”
Update Aug 12 11:09pm ET: Article updated with reply from Zoom.
