A security researcher has discovered a way for an attacker to leverage the macOS version of Zoom to access the complete operating system.
The exploit’s details were revealed in a presentation by Mac security expert Patrick Wardle at the Def Con on Friday hacking conference in Las Vegas.
Zoom has already restored some of the bugs involved, but the researcher offered one unpatched vulnerability that still concerns systems now.
The exploit performs by targeting the Zoom application’s installer, which requires running with special user permissions to install or terminate the main Zoom application from a computer. Though the installer needs a user to enter their password on first counting the application to the system, Wardle discovered that an auto-update function continually ran in the background with superuser privileges.
When Zoom allocated an update, the updater function would install the new package after it had been cryptographically inscribed by Zoom. But a bug in how the checking procedure was implemented meant that providing the updater any file with the identical name as Zoom’s signing certificate would be enough to enact the test. So an attacker could replace any malware program and have the updater with elevated privilege run it.
The outcome is a privilege escalation attack, which carries an attacker who has already gained initial access to the target system and then engages in an exploit to achieve higher access. In this case, the attacker starts with a restricted user account but escalates into the most potent user type comprehended as a “superuser” or “root” letting them add, remove, or alter any files on the machine.
Wardle is the creator of the Objective-See Foundation, a nonprofit that makes open-source security tools for macOS. Previously, at the Black Hat cybersecurity conference maintained in the same week as Def Con, Wardle detailed the unauthorized usage of algorithms stolen from his open-source security software by for-profit businesses.
Following trustworthy disclosure protocols, Wardle informed Zoom about the disclosure in December last year. But, to his frustration, he says an initial fix from Zoom retained another bug that meant the vulnerability was still exploitable in a negligibly more roundabout route, so he disclosed this second bug to Zoom and stayed eight months before broadcasting the research.
“To me, that was problematic because not only did I report the bugs to Zoom, but also noted mistakes and how to fix the code,” Wardle said before the talk. “So it was disheartening to wait for six, seven, eight months, knowing that all Mac versions of Zoom were posing on users’ computers vulnerable.”
A few weeks before the Def Con event, Wardle says Zoom issued a patch that rectified the bugs he had initially discovered. But on closer analysis, another small error meant the bug was still exploitable.
In the new version of the update installer, a package to be installed is first moved to a directory acknowledged by the “root” user. Generally, this means that no user that does not have root permission can add, remove, or modify files in this directory. But because of the subtlety of Unix systems, when an existing file is moved from another location to the root directory, it maintains the same read-write permissions it previously had. Therefore, in this case, it can still be modified by a regular user. And because it can be changed, a malicious user can still swap the contents of that file with a file of their choosing and use it to become root.
While this bug is currently live in Zoom, Wardle says it’s straightforward to fix and hopes that talking about it publicly will “grease the wheels” to have the company take care of it sooner rather than later.