A security researcher has found a way an attacker can exploit the macOS version of Zoom to gain access to the entire operating system.
Details of the exploit were released by Mac security expert Patrick Wardle in a presentation given at the Def Con hacking conference in Las Vegas on Friday. Some of the related bugs have already been fixed by Zoom, but the researcher also presented an unpatched vulnerability that still affects systems at this time.
This exploit works by targeting the Zoom app’s installer, which must run with special user permissions to install or uninstall the main Zoom app from a computer. Although the installer required a user to enter their password when first adding the app to the system, Wardle later found that an auto-update function was constantly running in the background with superuser privileges.
When Zoom releases an update, the updater functionality installs the new package after checking that it is cryptographically signed by Zoom. However, an error in the implementation of the control method meant that giving the updater any file with the same name as Zoom’s signing certificate would be enough to pass the test – so an attacker could replace any type of malware and run it. updater with elevated privileges.
conclusion and privilege escalation attackThis assumes that an attacker has already obtained initial access to the target system and then uses an exploit to gain a higher level of access. In this case, the attacker starts with a restricted user account but rises to the most powerful user type known as “superuser” or “root”, allowing these users to add, remove or modify any file on the machine.
Wardle is the founder of the Objective-See Foundation, a nonprofit that creates open-source security tools for macOS. Wardle at the Black Hat cybersecurity conference previously held the same week as Def Con. detailed information on the unauthorized use of algorithms removed from open source security software by non-profit companies.
Following responsible disclosure protocols, Wardle briefed Zoom about the vulnerability in December of last year. Disappointed, he said that the first fix from Zoom contained another bug that meant the vulnerability could be exploited in a slightly more roundabout way, so he disclosed this second bug to Zoom and waited eight months before publishing the research.
“For me, that was a bit of a problem because I not only reported bugs to Zoom, but also reported bugs and how to fix the code,” Wardle said. Boundary in a call before speaking. “So it was really frustrating to wait six, seven, eight months knowing that all Mac versions of Zoom are vulnerable on users’ computers.”
A few weeks before the Def Con event, Wardle said that Zoom has released a patch that fixes the bugs it initially discovered. But upon closer analysis, another minor bug meant that the bug was still usable.
In the new version of the update installer, a package to be installed is first moved to a directory owned by the “root” user. Generally, this means that no user without root permission can add, remove or modify files in this directory. But due to a subtlety of Unix systems (one of which is macOS), when an existing file is moved from another location to the root directory, it retains the same read-write permissions it had before. So, in this case, it can still be changed by a normal user. And because it can be modified, a malicious user can still replace the contents of that file with a file of their choice and use it to become root.
While this bug is currently available on Zoom, Wardle says it’s very easy to fix, and speaking publicly about it he hopes the company will “lube the wheels” to fix it soon.
Zoom did not respond to a request for comment at the time of broadcast.
