Zoom installer lets researchers crack root access on macOS

A security researcher has discovered a way an attacker could exploit the macOS version of Zoom to gain access to the entire operating system.

Mac security expert Patrick Wardle published details about the exploit at the Def Con hacker conference in Las Vegas on Friday. Zoom has fixed some of the bugs involved, but the researchers also raised an unpatched vulnerability that still affects systems today.

The exploit works against the Zoom application’s installer, which needs to be run with special user rights to install or remove the main Zoom application from the computer. Although the installer required the user to enter a password when the app was first added to the system, Wardle found that the auto-update feature then continued to run in the background with superuser privileges.

When Zoom releases an update, the Updater feature will install it after checking that the new package has been cryptographically signed by Zoom. But there’s a bug in the way the check method is implemented, which means that providing the updater with any file with the same name as the Zoom signing certificate is enough to pass the test — so an attacker could replace any kind of malware program and have it run with elevated privileges Updater.

The result is a privilege escalation attack, assuming that the attacker has gained initial access to the target system, and then exploits the vulnerability to gain a higher level of access. In this case, the attacker starts with a limited user account, but escalates to the most powerful type of user — called “superuser” or “root” — that allows them to add, delete, or modify any file on the machine.

Wardle is the founder of the Objective-See Foundation, a nonprofit that creates open source security tools for macOS. Earlier, at the Black Hat cybersecurity conference the same week as Def Con, Wardle detailed the for-profit company’s unauthorized use of algorithms extracted from his open-source security software.

Following responsible disclosure protocols, Wardle notified Zoom of the vulnerability in December. To his dismay, he said Zoom’s initial fix contained another bug, meaning the bug could still be exploited in a slightly more roundabout way, so he disclosed the second bug to Zoom and waited eight months Publish research.

“For me, it’s a bit of a problem because I’m not only reporting bugs to Zoom, but also bugs and how to fix the code,” Wardle told Reuters edge During the call before the call. “So, waiting six, seven, eight months to know that all Mac versions of Zoom are vulnerable on users’ computers, it’s really frustrating.”

A few weeks before the Def Con event, Wardle said Zoom had released a patch that fixed the bug he initially found. But after careful analysis, another small bug meant the vulnerability could still be exploited.

In a new version of the update installer, first move the package to be installed into a directory owned by the “root” user. Typically, this means that users without root privileges cannot add, delete, or modify files in this directory. But due to the subtleties of Unix systems (macOS is one of them), when an existing file is moved to the root directory from another location, it retains the same read and write permissions as before. So in this case it can still be modified by normal users. And because it can be modified, malicious users can still swap the contents of that file with a file of their own choice and use it to become root.

While the bug currently exists in Zoom, Wardle said it’s easy to fix, and he hopes talking about it publicly will “go ahead” and let the company fix it sooner rather than later.

in a statement edgeMatt Nagel, Zoom’s head of security and privacy communications, said: “We are aware of the newly reported vulnerability in the macOS auto-updater and are working to resolve the issue.”

Update Aug. 12 at 11:09 PM ET: Article updated based on Zoom’s response.

Leave a Comment

Your email address will not be published.