Two critical vulnerabilities were recently disclosed by Cisco Talos in the widely used video conferencing software Zoom. It can be exploited by a remote attacker who can hack into the host’s machine and can execute arbitrary code. Given the current scenario of the COVID-19 pandemic, several companies have substantially incorporated the use of video conferencing software like Zoom.
Zoom has addressed these two vulnerabilities in May’s recent fix.
Vulnerabilities:
As per Talos, these vulnerabilities exist because of the way Zoom handles messages. A specially crafted chat message which can be either sent to a group or personal chats can result in arbitrary code execution.
CVE-2020-6109
Zoom client 4.6.10 is affected by this vulnerability, here specifically GIF messages, that are sent are addressed. Zoom is based on XMPP standards with additional support for GIF in chats when a message with Giphy extension is sent. Zoom displays the GIF in chat by fetching it via an HTTP URL and since no validation is performed, URLs can point to arbitrary locations.
This CVE addresses two major flaws in the application:
There is no authentication mechanism provided, and the client’s unique ID is leaked although it is in encoded format. Even with the presence of giphy tag, other formats such as PNG or JPEG can also be processed and displayed to the user which should not be happening since Giphy tag should only display GIF.
Filenames are not being sanitized, ID attribute contains the file path, where the application can use this path to display GIF next time it is accessed in chats. This file path is stored by the application under the Data directory. ID attribute of the Giphy tag can be modified by specially crafting ID attribute to put filenames with directory outside the install directory of Zoom that can be accessed by the user which can lead to directory traversal.
CVE-2020-6110
Here, two versions of Zoom prior to 4.6.12 are affected, likewise GIF support, there is additional support for sharing Code snippets in chats, which can understand code syntax. In order to send a code snippet via chat, the sender needs to have a special plugin, however, the receiver side does not need such plugin. Code snippets and other important files are sent via a zip file.
When the Client receives this zip file, Zoom will automatically open the archived messages and display, The underlying flaw in this approach is that zoom does not perform file validation on zips, so an attacker can give a crafted zip file. Zoom will extract this zip and since there is also a partial path traversal vulnerability, it can unzip the contents not just without verifying, but to a different directory as specified by the attacker as well.
With the above flaw, an attacker can exploit this by employing targeted user interaction. An attacker can share a zip file with a different filename such as a JPEG. Although Zoom requires user interaction to save the file. Once the user saves the file, an attacker can share a code snippet message with the same File ID and details in the obj tag. Zoom keeps track of files that have been downloaded before. If the new file has the same name as the previous one, it will open the already downloaded file.
Affected Versions
Zoom Client Application prior to 4.6.12
Impact
Attackers can exploit these critical vulnerabilities to execute arbitrary code by exploiting a directory traversal vulnerability.
Solutions
Both the vulnerabilities were addressed in Zoom 4.6.12.
SanerNow detects this vulnerability and automatically fixes it by applying security updates. Download SanerNow and keep your systems updated and secure.