Google Project Zero Bugged ZOOM
Two zero-click attack vulnerabilities has been kept undisclosed for the popular video conferencing solution Zoom that could be exploited to crash the service, execute malicious code, and even leak arbitrary areas of its memory.
The has been fixed during the month of November 2021 updates. The primaey goal of a zero-click attack is to gain control over the victim’s device without requiring any kind of interaction from the user. A key trait of zero-click hacks is their ability not to leave behind traces of malicious activity, making them very difficult to detect.
The two flaws identified by Project Zero are as follows
- CVE-2021-34423 (CVSS score: 9.8) – A buffer overflow vulnerability that can be leveraged to crash the service or application, or execute arbitrary code.
- CVE-2021-34424 (CVSS score: 7.5) – A process memory exposure flaw that could be used to potentially gain insight into arbitrary areas of the product’s memory.
By analyzing the RTP its possible to manipulate the contents of a buffer that supports reading different data types by sending a malformed chat message, causing the client and the MMR server to crash.
The lack of a NULL check which is used to determine the end of a string made it possible to leak data from the memory by joining a Zoom meeting via a web browser.
The memory corruption flaw to the fact that Zoom failed to enable Address space layout randomization, a security mechanism designed to increase the difficulty of performing buffer overflow attacks.
ASLR is arguably the most important mitigation in preventing exploitation of memory corruption, and most other mitigations rely on it on some level to be effective. There is no good reason for it to be disabled in the vast majority of software.
In general open-source libraries such as WebRTC or PJSIP have been used by video conferencing solution provider for implementing multimedia communications, But Zoom’s use of proprietary formats and protocols.
Closed-source software presents unique security challenges, and Zoom could do more to make their platform accessible to security researchers and others who wish to evaluate it.