Zoom is one of the most popular video-conferencing software, every day it is used by millions of users, especially during the COVID outbreak.
Cybersecurity researchers from Cisco Talos have disclosed two critical vulnerabilities in the video conferencing software Zoom that could have allowed remote attackers to hack into the systems of participants at a group chat or an individual recipient.
The two vulnerabilities are path traversal issues that can be exploited by attackers to write or plant arbitrary files on the systems running vulnerable versions of Zoom to execute malicious code.
The issues are easy to exploit, attackers can trigger them just by sending specially crafted messages through the chat to an individual or a group.
The first vulnerability, tracked as CVE-2020-6109, is related to the way Zoom leverages GIPHY service to allow its users to search and exchange animated GIFs via chat.
Experts discovered that Zoom did not check the GIF source allowing attackers to embed GIFs from a third-party server under the control of the attackers. Then the software store the image on the recipients’ system in a specific folder associated with the application.
The software fails to sanitize the filenames potentially allowing to achieve directory traversal, this means that an attacker could potentially store malicious files disguised as GIFs to any location on the target system.
“An exploitable path traversal vulnerability exists in the Zoom client, version 4.6.10 processes messages including animated GIFs. A specially crafted chat message can cause an arbitrary file write, which could potentially be abused to achieve arbitrary code execution.” reads the advisory published by Cisco Talos. “An attacker needs to send a specially crafted message to a target user or a group to exploit this vulnerability.”
The second issue is a remote code execution vulnerability tracked as CVE-2020-6110, which resided in the way vulnerable versions of the Zoom application handles code snippets shared through the chat.
“An exploitable partial path traversal vulnerability exists in the way Zoom Client version 4.6.10 processes messages including shared code snippets. A specially crafted chat message can cause an arbitrary binary planting which could be abused to achieve arbitrary code execution.” reads the advisory. “An attacker needs to send a specially crafted message to a target user or a group to trigger this vulnerability. For the most severe effect, target user interaction is required.”
“Zoom’s chat functionality is built on top of XMPP standard with additional extensions to support the rich user experience. One of those extensions supports a feature of including source code snippets that have full syntax highlighting support. The feature to send code snippets requires the installation of an additional plugin but receiving them does not. This feature is implemented as an extension of file sharing support,”
The experts discovered that the software creates a zip archive containing the shared code snippet before sending, which is unzipped on the recipient’s system.
Zoom’s zip file extraction feature does not validate the contents of the zip file before extracting it, allowing the attacker to plant arbitrary binaries on targeted systems.
“This allows a potential attacker without user interaction to plant arbitrary binaries on target’s computer via automatically extracted zip files.” continues the experts. “Additionally, a partial path traversal issue allows the specially crafted zip file to write files outside the intended randomly generated directory. “
Both vulnerabilities affect Zoom version 4.6.10, the company addressed them with the release of version 4.6.12.
(SecurityAffairs – video conferencing system, hacking)