Zoom installer let a researcher hack his way to root access on macOS

A security researcher has discovered a way that an attacker could take advantage of the macOS version of Zoom to gain access to the entire operating system.

Details of the exploit were released in a presentation given by Mac security expert Patrick Wardle at the Def Con hacking conference in Las Vegas on Friday. Some of the bugs involved have already been fixed by Zoom, but the researcher also introduced an unexpected vulnerability that still affects the system.

The exploit works by targeting an installer for the Zoom application, which needs to be run with special user permissions to install or remove the main Zoom application from a computer. Although the installer requires the user to enter their password upon first adding the application to the system, Wardle found that an auto-update function then continuously runs in the background with superuser privileges.

When Zoom releases an update, the updater function will install the new package after checking that it was cryptographically signed by Zoom. But a bug in how the checking method was implemented meant that giving the updater any file with the same name as Zoom’s signing certificate would suffice to pass the test—so an attacker could kill any kind of malware program. and it can be run on Updater with elevated privileges.

The result is a privilege escalation attack, which assumes that an attacker has already gained initial access to the target system and then employs an exploit to gain a higher level of access. In this case, the attacker starts with a restricted user account, but grows into the most powerful user type—known as “superuser” or “root”—which allows them to add, delete, or access any files on the machine. allowed to modify.

Wardle is the founder of the Objective-C Foundation, a non-profit that creates open-source security tools for macOS. Earlier, at the Black Hat cybersecurity conference held the same week as Def Con, Wardle detailed the unauthorized use by for-profit companies of algorithms lifted from their open-source security software.

Following responsible disclosure protocols, Wardle informed Zoom about the vulnerability in December last year. To his frustration, he says that Zoom’s initial fix contained another bug, which meant that the vulnerability was still exploitable in a slightly more roundabout way, so he disclosed this second bug to Zoom and refrained from publishing the research. Waited eight months ago.

“It was kind of a problem for me because I not only reported the bug to Zoom, but I also reported the mistakes and how I fixed the code,” Wardle said. ledge In a call before talking. “So it was really frustrating to wait, what, six, seven, eight months, knowing that all the Mac versions of Zoom were vulnerable on users’ computers.”

A few weeks before the Def Con event, Wardle says that Zoom released a patch that fixed the bugs they initially discovered. But upon closer analysis, another small error meant that the bug was still exploitable.

In the new version of the update installer, the packages to be installed are moved to a directory previously owned by the “root” user. Generally this means that any user who does not have root permission is not able to add, delete or modify files in this directory. But due to the subtleties of Unix systems (of which macOS is one), when an existing file is moved from another location to the root directory, it retains the same read-write permissions it previously had. So, in this case, it can still be modified by a regular user. And because it can be modified, a malicious user can still swap the contents of that file with a file of their choice and use it to become root.

While this bug is currently live in Zoom, Wardle says it is very easy to fix and he hopes talking about it publicly will get the company to take care of it sooner to “lubricate the wheels”. ” Will happen.

in a statement to ledgeZoom’s security and privacy PR lead, Matt Nagel, said: “We are aware of the newly reported vulnerability in the Zoom Auto Updater for macOS and are working diligently to address it.”

Update August 12th, 11:09PM ET: Article updated with response from Zoom.

Source link

Leave a Comment