An exploration of the zero-click attack surface of popular video conferencing solution Zoom has yielded two previously undisclosed security flaws that could be exploited to crash the service, execute malicious code, or even leak arbitrary regions of its memory.
Natalie Silvanovich of Google Project Zero Find and reported two defect Last year, the issue affected Zoom clients and Multimedia Router (MMR) servers, which stream audio and video content between clients. local deployment.
Zoom has addressed these weaknesses as renew Ships November 24, 2021.
The goal of a zero-click attack is to silently take control of a victim’s device without requiring any kind of user interaction, such as clicking a link.
While the details of an exploit will vary depending on the nature of the exploit being exploited, a key characteristic of zero-click hackers is their ability to leave no trace of malicious activity, making them difficult to detect.
The two flaws found by Project Zero are as follows:
- CVE-2021-34423 (CVSS Score: 9.8) – A buffer overflow A vulnerability that can be used to crash a service or application or execute arbitrary code.
- CVE-2021-34424 (CVSS Score: 7.5) – A process memory exposure flaw that can be used to potentially gain insight into arbitrary regions of product memory.
By analyzing the RTP (Real Time Transport Protocol) traffic used to transmit audio and video over IP networks, Silvanovich discovered that the contents of buffers that support reading different data types could be manipulated by sending malformed chat messages, resulting in client and MMR Server crashes.
Furthermore, the lack of a null check – used to determine the end of the string – Joining a Zoom meeting via a web browser can leak data from memory.
Researchers also attribute memory corruption bug to Zoom failing to enable ASLR, also known as address space layout randomization, a security mechanism designed to increase the difficulty of performing buffer overflow attacks.
“The lack of ASLR in the Zoom MMR process greatly increases the risk that an attacker could compromise it,” Silvanovich said. “ASLR is arguably the most important mitigation against exploiting memory corruption, and most other mitigations rely on it to some extent to be effective. The vast majority of software has no good reason to disable it.”
While most videoconferencing systems use open source libraries such as Network RTC or PJSIP To implement multimedia communications, Project Zero called Zoom’s use of proprietary formats and protocols and high licensing fees (nearly $1,500) as barriers to security research.
“Closed-source software presents unique security challenges, and Zoom can do more to make their platform accessible to security researchers and others who want to evaluate it,” Silvanovich said. “While the Zoom security team helped me access and configure the server software, it was unclear whether other researchers could get support, and software licensing was still expensive.”
