Friday, September 29, 2023

The Zoom installer let a researcher hack his way to root access on macOS

Must read

Shreya Christina
Shreya has been with for 3 years, writing copy for client websites, blog posts, EDMs and other mediums to engage readers and encourage action. By collaborating with clients, our SEO manager and the wider team, Shreya seeks to understand an audience before creating memorable, persuasive copy.

A security researcher has found a way for an attacker to use the macOS version of Zoom to gain access to the entire operating system.

Details of the exploit were released in a presentation given by Mac security specialist Patrick Wardle at the Def Con hacking conference in Las Vegas on Friday. Some of the bugs involved have already been fixed by Zoom, but the researcher also presented an unpatched vulnerability that still affects systems today.

The exploit works by targeting the Zoom application installer, which must be run with special user permissions in order to install or uninstall the main Zoom application from a computer. While the installer requires a user to enter their password when the application is first added to the system, Wardle found that an auto-update feature then ran continuously in the background with superuser privileges.

When Zoom released an update, the updater feature installed the new package after verifying that it was cryptographically signed by Zoom. But an error in how the verification method was implemented meant that it would be enough to give the updater a file with the same name as Zoom’s signing certificate to pass the test. updater with elevated privileges.

The result is a privilege escalation attack, which assumes that an attacker has already gained initial access to the target system and then uses an exploit to gain a higher level of access. In this case, the attacker starts with a restricted user account, but escalates to the most powerful user type — known as a “superuser” or “root” — allowing them to add, delete, or modify files on the machine.

Wardle is the founder of the Objective-See Foundation, a nonprofit organization that creates open-source security tools for macOS. Earlier, at the Black Hat cybersecurity conference held the same week as Def Con, Wardle detailed the unauthorized use of algorithms removed from his open-source security software by for-profit companies.

Following Responsible Disclosure protocols, Wardle informed Zoom about the vulnerability in December last year. Much to his frustration, he says Zoom’s first fix contained another bug that meant the vulnerability could still be exploited in a slightly more roundabout way, so he disclosed this second bug to Zoom and waited eight months before launching the investigation. published.

“For me, that was a bit problematic because not only did I report the bugs to Zoom, I also reported errors and how to fix the code,” Wardle told me. The edge in a conversation for the conversation. “So it was really frustrating to wait six, seven, eight months knowing that all Mac versions of Zoom were vulnerable on users’ computers.”

A few weeks before the Def Con event, Wardle says Zoom has released a patch that fixes the bugs he initially discovered. But on closer analysis, another minor flaw meant that the bug could still be exploited.

In the new version of the update installer, a package to be installed is first moved to a folder owned by the “root” user. In general, this means that no user who does not have root permission can add, delete or modify files in this folder. But due to a subtlety of Unix systems (of which macOS is one), it retains the same read-write permissions it had before when an existing file is moved from another location to the root directory. So in this case it can still be changed by a regular user. And because it can be modified, a malicious user could still swap the contents of that file with a file of their choosing and use it to become root.

While this bug is currently live in Zoom, Wardle says it’s very easy to fix and hopes that if it’s talked about publicly, the company will fix it sooner rather than later.

Zoom had not responded to a request for comment at the time of publication.

More articles

Latest article