Zoom RCE only hit those who uninstalled it: Assetnote

Local webserver searched for domain suffixes that left it open to exploitation.
Written by Chris Duckett, Contributor

Assetnote working on CVE-2019-13567

(Image: Assetnote)

Users who rushed to drag Zoom into the trash can inadvertently left themselves open to a remote code exploit (RCE), according to Assetnote.

Detailed in a blog post, Assetnote states it found the RCE in March at a hacking event for a "large Silicon Valley based target".

The flaw the team exploited was in the residual ZoomOpener process that was left behind after a user thought they had removed Zoom on their Mac. The controversial web server, which Zoom defended the use of to ZDNet when the saga erupted, allowed for the Zoom application to be reinstalled onto a Mac when the user clicked on a Zoom video conferencing link.

Assetnote found the ZoomOpener local web server would accept a variable that specified where to download the Zoom package from, and would check it against a hard coded list of domains -- zoom.us, zipow.com, zoomgov.com, and zoom.com -- and failing that, would then check if any of those domains were used as a suffix.

This meant if malicious code was sent from URLs such as assetnotehackszoom.com/attacker.zoom.us then ZoomOpener would not do any integrity checks and send it off to be installed -- after which it would be party time for anyone malicious.

Assetnote also said ZoomOpener could have been hit with a subdomain takeover, but a quick look did not find any candidates.

"After a lot of time messing around with the Zoom install we determined that necessary pre-condition to trigger this state was to have Zoom uninstalled after being previously installed," the team said.

By the end of last week, other security researchers had also found the RCE vulnerability.

Last week, Apple rolled out silent updates that killed off Zoom's web server, as well as white labelled versions used by other vendors, by using its malware removal infrastructure.

Prior to Apple's action, Zoom released an update to remove the web server.

"We misjudged the situation and did not respond quickly enough -- and that's on us," Zoom CEO Eric Yuan said at the time.

The company told ZDNet last week the change of course was in response to customer feedback, not security concerns.

"There was never a remote code execution vulnerability identified. Zoom decided to remove the web server based on feedback from the security community and our users," it said.

"Even for those who did not upgrade, Zoom will not use the local web server to join meetings automatically anymore as we have disabled it on our backend."

Related Coverage

Editorial standards