A security researcher has found a way for an attacker to leverage the macOS version of Zoom to gain access to the entire operating system.
Details of the exploit were released in a presentation given by Mac security specialist Patrick Wardle at the Def Con hacking conference in Las Vegas on Friday. Some of the bugs involved have already been fixed by Zoom, but the researcher also exposed an unpatched vulnerability that is still affecting systems today.
The exploit works by targeting the Zoom app installer, which must run with special user permissions in order to install or remove the main Zoom app from a computer. Although the installer requires a user to enter their password when initially adding the application to the system, Wardle discovered that an automatic update feature then continuously ran in the background- plan with superuser privileges.
When Zoom released an update, the update function installed the new package after verifying that it had been cryptographically signed by Zoom. But a bug in the way the verification method was implemented meant that giving the updater any file with the same name as Zoom’s signing certificate would be enough to pass the test – so a attacker can substitute any type of malware and have the updater run it with elevated privileges.
The result is a privilege escalation attack, which assumes an attacker has already gained initial access to the target system, then employs an exploit to gain a higher level of access. In this case, the attacker starts with a restricted user account but moves to the most powerful type of user – known as “superuser” or “root” – allowing him to add, remove or modify any file on the machine.
Wardle is the founder of the Objective-See Foundation, a nonprofit that creates open-source security tools for macOS. Previously, at the Black Hat cybersecurity conference held the same week as Def Con, Wardle detailed the unauthorized use of algorithms extracted from its open-source security software by for-profit companies.
In accordance with responsible disclosure protocols, Wardle notified Zoom of the vulnerability in December last year. Much to his frustration, he says an initial patch from Zoom contained another bug which meant the vulnerability was still exploitable in a slightly more roundabout way, so he disclosed this second bug to Zoom and waited eight months before publish research.
“For me, it was a bit problematic because not only did I report bugs to Zoom, but I also reported errors and how to fix the code,” Wardle said. The edge during a call before the conversation. “So it was really frustrating to wait, what, six, seven, eight months knowing that all Mac versions of Zoom were installed on vulnerable users’ computers.”
A few weeks before the Def Con event, Wardle said Zoom had released a patch that fixed the bugs it had initially discovered. But upon further analysis, another small error meant the bug was still exploitable.
In the new version of the update installer, a package to be installed is first moved to a directory owned by the “root” user. Generally, this means that no user without root permission can add, delete or modify files in this directory. But due to a subtlety of Unix systems (which macOS is a part of), when an existing file is moved from another location to the root directory, it retains the same read-write permissions it had before. So in this case it can still be changed by a regular user. And because it can be modified, a malicious user can always swap the contents of this file with a file of their choice and use it to become root.
Although this bug is currently live in Zoom, Wardle says it’s very easy to fix and he hopes talking about it publicly will “grease the wheels” for the company to deal with it the most. as soon as possible.
Zoom had not responded to a request for comment at the time of publication.