



Zero-click attack surface investigation of popular video conferencing solution Zoom has been published so far that could crash services, execute malicious code, or leak any area of ​​memory. Two security vulnerabilities were found that were not.

Natalie Silvanovich of Google Project Zero, who discovered and reported two flaws last year, said the issue affected both Zoom clients and Multimedia Router (MMR) servers that send audio and video content between clients in on-premises deployments. I did.

This weakness was subsequently addressed by Zoom as part of an update shipped on November 24, 2021.

The purpose of a zero-click attack is to secretly control the victim’s device without the need for user intervention, such as clicking a link.

The details of the exploit depend on the nature of the exploited vulnerability, but the main feature of zero-click hacking is that it leaves no trace of malicious activity and is very difficult to detect.

The two flaws identified by Project Zero are:

CVE-2021-34423 (CVSS score: 9.8) – A buffer overflow vulnerability that could be exploited to crash services or applications or execute arbitrary code. CVE-2021-34424 (CVSS Score: 7.5) – Defects in process memory exposure that can be used to potentially gain insight into any area of ​​product memory.

Silvanovich analyzes various data types by sending malformed chat messages by analyzing RTP (Real-time Transport Protocol) traffic used to deliver audio and video over IP networks. I found that I could manipulate the contents of the buffer that supports reading. And the MMR server crashes.

In addition, there is no null check used to determine the end of the string, so it is now possible to leak data from memory by joining a Zoom meeting through a web browser.

Researchers also attributed a memory corruption flaw to the fact that Zoom was unable to enable ASLR, also known as address space layout randomization, a security mechanism designed to increase the difficulty of performing buffer overflow attacks. did.

“The lack of ASLR in the ZoomMMR process greatly increases the risk of an attacker endangering ASLR,” says Silvanovich. “ASLR is arguably the most important mitigation to prevent memory corruption abuse, and most other mitigations rely on ASLR to some extent to be effective. There is no reason for ASLR to be disabled in part. “

While most video conferencing systems use open source libraries such as WebRTC and PJSIP to implement multimedia communications, Project Zero uses Zoom’s proprietary formats and protocols, and as a barrier to security research. He pointed out a high license fee (about $ 1,500).

“Closed source software has its own security challenges, and Zoom can do much more to make the platform accessible to security researchers and others who want to evaluate it. “Silvanovich said. “The Zoom security team helped us access and configure the server software, but it wasn’t clear if other researchers would have access to the support, and the software license was still expensive.”

