Details of the exploit were released in a presentation given by Mac security expert Patrick Wardle at the Def Con hacking conference in Las Vegas on Friday. Some of the bugs involved have already been fixed by Zoom, but the researcher also presented an unpatched vulnerability that is still affecting systems now. The exploit works by targeting the installer for the Zoom app, which must be run with special user rights to install or remove the main Zoom app from a computer. Although the installer requires a user to enter their password when the app is first added to the system, Wardle found that an auto-update function was then constantly running in the background with superuser privileges. Privilege escalation attack When Zoom issued an update, the update function would install the new package after verifying that it was cryptographically signed by Zoom. However, a bug in the way the check method was implemented meant that providing the updater with any file with the same name as Zoom’s signing certificate would be enough to pass the test — so an attacker could replace any malware and run it from the elevated updater. The result is a privilege escalation attack, which assumes that an attacker has already gained initial access to the target system and then uses an exploit to gain a higher level of access. In this case, the attacker starts with a limited user account, but escalates to the most powerful user type — known as “superuser” or “root” — allowing him to add, remove, or modify any files on the machine. Wardle is the founder of the Objective-See Foundation, a non-profit organization that creates open source security tools for macOS. Previously, at the Black Hat cybersecurity conference held the same week as Def Con, Wardle exposed the unauthorized use of algorithms lifted from his open source security software by for-profit companies. “It was really frustrating to wait…six, seven, eight months” Following responsible disclosure protocols, Wardle notified Zoom of the vulnerability in December last year. To his dismay, he says an initial fix from Zoom contained another bug that meant the vulnerability was still exploitable in a slightly more roundabout way, so he disclosed this second bug to Zoom and waited eight months before publishing the research. “For me that was kind of problematic because not only did I report the bugs in Zoom, but I also reported errors and how to fix the code,” Wardle told The Verge on a call before the talk. “So it was really frustrating to wait, six, seven, eight months, knowing that all the Mac versions of Zoom were vulnerable on users’ computers.” A few weeks before the Def Con event, Wardle says Zoom released a patch that fixed the bugs it had originally discovered. But on closer inspection, another small flaw meant that the bug was still exploitable. In the new version of the update installer, a package to be installed is initially moved to a directory owned by the “root” user. Generally this means that no non-root user can add, remove or modify files in this directory. But due to the thinness of Unix systems (one of which is macOS), when an existing file is moved from another location in the root directory, it retains the same read-write permissions it had before. So in this case it can be modified by a normal user. And because it can be modified, a malicious user can still swap the contents of this file with a file of their choice and use it to become root. While this bug is currently in Zoom, Wardle says it’s very easy to fix and that he hopes the public discussion about it will “grind the wheels” for the company to address it sooner rather than later. Zoom had not responded to a request for comment at the time of publication.
