Two Critical Flaws in Zoom: Attackers Hack Systems via Chat

Zoom is one of the most popular video-conferencing software, every day it is used by millions of users, especially during the COVID outbreak.

Cybersecurity researchers from Cisco Talos have discovered two critical vulnerabilities in the Zoom software that could have allowed attackers to hack into the systems of group chat participants or an individual recipient remotely.

Both vulnerabilities are path traversal issues that can be exploited by attacker to write or plant arbitrary files on the systems running vulnerable versions of Zoom to execute malicious code.

The issues are easy to exploit, attackers can trigger them just by sending specially crafted messages through the chat to an individual or a group.

The first security vulnerability, tracked as CVE-2020-6109 is related to the way Zoom leverages GIPHY service, to allow users to search and exchange animated GIFs while chatting.

Experts discovered that the Zoom application did not check whether a shared GIF is loading from Giphy service or not. It allows attackers to embed GIFs from a third-party server under the control of the attackers. Then the software store the image on the recipients’ system in a specific folder associated with the application.

The software fails to sanitize the filenames potentially allowing attackers to achieve directory traversal. This means an attacker could store malicious files disguised as GIFs to any location on the victim's system.

The second issue is a remote code execution vulnerability tracked as CVE-2020-6110, resides in the way vulnerable versions of the Zoom application handles code snippets shared through the chat.

Zoom's chat functionality is built on top of XMPP standard with additional extensions to support the rich user experience. One of those extensions supports a feature of including source code snippets that have full syntax highlighting support. The feature to send code snippets requires the installation of an additional plugin but receiving them does not. This feature is implemented as an extension of file sharing support.

The experts discovered that the software creates a zip archive containing the shared code snippet before sending, which is unzipped on the recipient’s system.

Zoom’s zip file extraction feature does not validate the contents of the zip file before extracting it. This allows a potential attacker without user interaction to plant arbitrary binaries on target’s computer via automatically extracted zip files.

Additionally, a partial path traversal issue allows the specially crafted zip file to write files outside the intended randomly generated directory.

According to the researchers, successful exploitation of both flaws requires no or very little interaction from targeted chat participants and can be executed just by sending specially crafted messages through the chat feature to an individual or a group.

Recommendations

It is recommended to consider the following best practices:

  • It is highly recommended to use Zoom’s latest version 4.6.12.  Zoom patched both critical vulnerabilities with the release of version 4.6.12.
  • When creating a new event, choose to only allow signed-in users to participate. 
  • Once a session has begun head over to the "Manage Participants" tab, click "More," and choose to "lock" meeting as soon as every expected participant has arrived. This will prevent others from joining even if meeting IDs or access details have been leaked. 
  • Choose a randomly generated ID for meetings when creating a new event.
  • Be careful with the file-sharing feature of meetings. Share material using a trusted service such as Box or Google Drive.
  • Use the Waiting Room feature. It is a way to screen participants before they are allowed to enter a meeting.