Zoom Zero-click Exploits explained by Project Zero

Recently Natalie Silvanovich from Google’s Project Zero team published a post where she explained the details of the two vulnerabilities found and reported to Zoom previously. She gave an extensive analysis of a buffer overflow and an info leak vulnerabilities; both fixed on November 24, 2021. The first vulnerability affected both Zoom clients and MMR servers while the second one could be used by attackers on MMR servers. In the context she mentioned a zero-click attack against the Windows Zoom client that was proved at last year`s Pwn2Own and showed to the specialists that Zoom did indeed have a fully remote attack surface. The vulnerabilities were assigned the corresponding identification CVE-2021-34423 and CVE-2021-34424.

The specialist says she didn’t make any previous attempts to test the Zoom because she believed it is less likely to get hacked in comparison to other similar software. She explained that in most types of such software the user has to accept the call or decline it whereas in the Zoom the calls are scheduled in advance and joined via an email invitation. So she continued the thought in the case of Zoom you`d think it would require a user to do multiple clicks in order to start an attack. But again last year`s Pwn2Own proved the other scenario.

Zoom Zero-click Exploits explained by Project Zero
Zoom client interface

After Pwn2Own, Silvanovich decided to take a closer look at the Zoom. In a post published under the Google’s Project Zero team she gave an overview of the Zoom`s attack surface, detailed on the exploitation of vulnerabilities and gave possible solution variants for the software like Zoom how to better their users` security.

Zoom attack surface

The specialist viewed the attack surface of the Zoom from the client’s point of use. The main feature of the software is multi-user conference calls called meetings that allow users to have multiple services like screen sharing, in-call text messages, video and audio. In addition Zoom provides full-featured installable clients that can be used on various platforms such as iPhone, Android, Linux, Mac and Windows. Apart from the installable client users can join meetings via browser link but they will have fewer available features. The last option available for users to access the Zoom meetings is to dial a phone number provided in the invitation on a touch-tone phone and to listen only to the audio of the meeting.

Zoom Zero-click Exploits explained by Project Zero
Zoom Contacts

Also users can use Zoom Contacts that allow for individual communication via messages or video. Here you can just start a call and another person either can accept it or reject it. Researcher named this specific part of the client’s interface a zero-click attack surface of Zoom. But it doesn’t mean that an attacker cannot simply invite their victim to join the meeting even though it would require them to proceed with the victim to do multiple clicks. The danger may not present itself so much to the individual users as to the public Zoom meetings or Webinar, a paid Zoom feature where a large group of unknown attendees join a one-way video conference. Because the open nature of these features allowed an attacker to join it without any restrictions, mainly we mean identification by anyone specific, the Zoom could be seen as the ”land of promise” for phishers, as an example. But it’s not only the clients directly Silvanovich says the data transmitted through the meeting could also be under threat all because during the meeting the end-to-end encryption is off by default.

Zoom Messages Overview

First, Silvanovich started with the zero-click attack surface of Zoom. Here, having done some technical observations she didn’t catch any traces of vulnerabilities. Then she decided to look at how Zoom uses the data provided over XMPP, an open communication protocol designed for instant messaging (IM), presence information, and contact list maintenance. In Zoom it is used mostly for communication between Zoom clients outside of meetings, such as messages and channels and for signaling (call set-up) when a Zoom Contact invites another Zoom Contact to a meeting. After spending some time analyzing the code paths, the specialist didn’t find any bugs as well. She adds that this is interesting because Thijs Alkemade and Daan Keuper released a write-up of their Pwn2Own bug after she did research and they in turn did find a bug in this specific area. It should be mentioned that the research solely focused on the Zoom client software as the other methods of joining calls work with the existing device features.

Zoom RTP Processing

The next thing Silvanovich observed was how Zoom clients process audio and video content. As the usual thing with all other video conferencing systems Zoom uses Real-time Transport Protocol (RTP) to transport this data. And during the investigation of this area she noticed that both the MMR server and Zoom clients process a great amount of packets that didn’t appear to be RTP or XMPP. And that’s where she came across the above mentioned vulnerabilities.

Though the researcher was not successful in full exploitation of the vulnerabilities she still was able to use them in other minor exploitative ways. She believes that real attackers would use the vulnerabilities quite sufficiently. Talking about Zoom RTP Processing specialist welcomed the enablement of ASLR in the Zoom MMR process and said it’s important for the software to continue to improve the robustness of the MMR code.

Conclusion

At the end Silvanovich named several factors that she thinks greatly contributed to the bugs discovered. And it’s those things that generally create problems in all video conferencing applications like Zoom. First thing she brings up it’s the large amount of code in software. There were several portions of code the functionality of which was hard to determine. Many classes that could be deserialized didn`t seem to be commonly used. The vastness of a code makes it difficult for the security researchers to analyze the software and at the same time increases the attack surface where code could potentially contain vulnerabilities.

The other thing creating difficulties is the usage of many proprietary formats and protocols. She explains that sometimes a researcher has to create the tooling to manipulate specific interfaces of the software but with proprietary things it takes more than needed time for manipulation. Not to mention the $1500 USD of licensing fees; both meaning that the software is not so often investigated as it should be.

The closed nature of Zoom also makes it difficult for security researchers to work. Many video conferencing systems use open-source software, either WebRTC or PJSIP. Of course, they are not free of problems but at least it’s much more simple to analyze them.

But still the biggest concern of specialist was the lack of ASLR in the Zoom MMR server. She explains that the thing is arguably the most important in mitigation and prevention of memory corruption exploitation, especially when other mitigations rely on it on some level. And it should not be disabled in the vast majority of software as it is seen now from the current situation. Of course, she adds, the vendors use the security measures provided by the platforms they write software for. But there were ideas to reduce the susceptibility of software to memory corruption vulnerabilities by opting for memory-safe languages and implementing enhanced memory mitigations. Nevertheless, she thinks that all software written for platforms that support ASLR should have it (and other basic memory mitigations) enabled.

Andrew Nail

Cybersecurity journalist from Montreal, Canada. Studied communication sciences at Universite de Montreal. I was not sure if a journalist job is what I want to do in my life, but in conjunction with technical sciences, it is exactly what I like to do. My job is to catch the most current trends in the cybersecurity world and help people to deal with malware they have on their PCs.

Leave a Reply

Back to top button