Researchers of Google's vulnerability discovery team 'Project Zero' discover vulnerabilities leading to Zoom's zero-click attack

Natalie, a researcher at Google's vulnerability discovery team Project Zero , said that the video conference tool Zoom had a vulnerability that could allow victims to compromise devices and Zoom servers without clicking. Sylvanovich reports.

Project Zero: Zooming in on Zero-click Exploits

'Zero-Click' Zoom Vulnerabilities Could Have Exposed Calls | WIRED

Many hacking damages require the victim to open harmful links and attachments, but some attacks called 'zero-click attacks' require the victim to do nothing. It is feasible. In recent years, the damage caused by zero-click attacks has increased, and it was reported that the spyware 'Pegasus ' used to monitor VIPs and journalists also conducted zero-click attacks targeting the iPhone.

Google's Project Zero points out that the zero-click exploit for iPhone used in Pegasus, a spyware used for VIP monitoring, is 'the most technically sophisticated exploit'-GIGAZINE

Mr. Sylvanovich has discovered vulnerabilities that lead to zero-click attacks and other attacks on various communication platforms such as Facebook Messenger, Signal, Google Duo, Facetime, and iMessage. However, because Zoom has many pop-ups and notification protections, it was thought that the user would have to click multiple times for a successful attack, so Sylvanovich gave Zoom that priority. He said he hadn't checked.

However, in April 2021, Mr. Sylvanovich was inspired by the discovery of a vulnerability in the hacking contest Pwn2Own that enabled a zero-click attack against Zoom. Sylvanovich began his analysis focusing on the Zoom client software installed on the user's device to explore the potential for zero-click attacks on Zoom.

When I analyzed the code related to content processing such as audio and video with the Zoom client, there was a library that performed a lot of serialization in the SDK , and a buffer overflow attack was launched here in the vulnerability ' CVE-2021-' It turns out that there is ' 34423'. This has been found to affect multimedia router (MMR) servers as well as Zoom clients. A vulnerability has also been identified that could steal server data using a function used by the MMR server, reported as 'CVE-2021-34424'.

The two vulnerabilities discovered this time can take over a device or compromise Zoom's MMR server without the victim's intervention if the victim and the attacker have registered with each other in Zoom's 'contacts'. It was said that there was a possibility that it would lead to an attack. 'This research took months and we couldn't reach the stage of launching a full attack, so I think the vulnerability is only available to very well-funded attackers,' said Sylvanovich. But it's no surprise that attackers are working on this vulnerability. '

All of the vulnerabilities reported by Sylvanovich have been fixed on November 24, 2021, and Zoom has informed users to install the latest version of the client software. According to Sylvanovich, who reported the vulnerability to Zoom in early October, Zoom was extremely responsive and was supportive of Sylvanovich's work to discover the vulnerability.

However, unlike many video conferencing services, Zoom is not open source and has a huge amount of code that makes it difficult for security researchers to investigate how Zoom works, Sylvanovich points out. .. 'The barriers to doing research on Zoom were very high. The reason why I found the vulnerability and no other researchers could find it is not because of this barrier. I suppose, 'he said, and the lack of frequent investigations by security researchers suggests that Zoom may have a simple undiscovered vulnerability. Sylvanovich also argued that Zoom's MMR server lacks Address Space Layout Randomization (ASLR) , which is also a security concern.

in Software,   Security, Posted by log1h_ik