Two Critical Flaws in Zoom Could've Let Attackers Hack Systems via Chat
If you're using Zoom—especially during this challenging time to cope with your schooling, business, or social engagement—make sure you are running the latest version of the widely popular video conferencing software on your Windows, macOS, or Linux computers.
No, it's not about the arrival of the most-awaited "real" end-to-end encryption feature, which apparently, according to the latest news, would now only be available to paid users. Instead, this latest warning is about two newly discovered critical vulnerabilities.
Cybersecurity researchers from Cisco Talos unveiled today that it discovered two critical vulnerabilities in the Zoom software that could have allowed attackers to hack into the systems of group chat participants or an individual recipient remotely.
Both flaws in question are path traversal vulnerabilities that can be exploited to write or plant arbitrary files on the systems running vulnerable versions of the video conferencing software to execute malicious code.
According to the researchers, successful exploitation of both flaws requires no or very little interaction from targeted chat participants and can be executed just by sending specially crafted messages through the chat feature to an individual or a group.
The first security vulnerability (CVE-2020-6109) resided in the way Zoom leverages GIPHY service, recently bought by Facebook, to let its users search and exchange animated GIFs while chatting.
Researchers find that the Zoom application did not check whether a shared GIF is loading from Giphy service or not, allowing an attacker to embed GIFs from a third-party attacker-controlled server, which zoom by design cache/store on the recipients' system in a specific folder associated with the application.
Besides that, since the application was also not sanitizing the filenames, it could have allowed attackers to achieve directory traversal, tricking the application into saving malicious files disguised as GIFs to any location on the victim's system, for example, the startup folder.
The second remote code execution vulnerability (CVE-2020-6110) resided in the way vulnerable versions of the Zoom application process code snippets shared through the chat.
"Zoom's chat functionality is built on top of XMPP standard with additional extensions to support the rich user experience. One of those extensions supports a feature of including source code snippets that have full syntax highlighting support. The feature to send code snippets requires the installation of an additional plugin but receiving them does not. This feature is implemented as an extension of file sharing support," the researchers said.
This feature creates a zip archive of the shared code snippet before sending and then automatically unzips it on the recipient's system.
According to the researchers, Zoom's zip file extraction feature does not validate the contents of the zip file before extracting it, allowing the attacker to plant arbitrary binaries on targeted computers.
"Additionally, a partial path traversal issue allows the specially crafted zip file to write files outside the intended randomly generated directory," the researchers said.
Cisco Talos researchers tested both flaws on version 4.6.10 of the Zoom client application and responsibly reported it to the company.
Released just last month, Zoom patched both critical vulnerabilities with the release of version 4.6.12 of its video conferencing software for Windows, macOS, or Linux computers.