Security researchers point out that Zoom's installer has a bug that can acquire root privileges on macOS



Patrick Wardle, a well-known macOS security researcher, pointed out at the hacking conference

DEF CON that a bug in the Zoom installer for macOS allowed it to gain root privileges on macOS. I'm here.

The Zoom installer let a researcher hack his way to root access on macOS - The Verge
https://www.theverge.com/2022/8/12/23303411/zoom-defcon-root-access-privilege-escalation-hack-patrick-wardle

Mr. Wardle is the founder of the Objective-See Foundation, a non-profit organization that creates open source security tools for macOS. A person who has pointed out that it is being sent to the server.

Multiple popular Mac apps distributed on the App Store collect user data and send it to an external server - GIGAZINE



Mr. Wardle points out a bug in the Zoom installer.

The installer for Zoom, a popular video conferencing tool, requires administrator privileges to perform these actions when installing or removing the Zoom application. When the installer first installs the Zoom app, it asks the user to enter a password, but according to Mr. Wardle, the installer's automatic update function is continuously running in the background with administrator privileges.

When Zoom distributes an app update, the updater function installs the new package after verifying that it has been cryptographically signed by Zoom. However, there was a bug in the implementation method of this cryptographic signature verification process, so it seems that cryptographic signature verification can be cleared simply by adding a file with the same name as Zoom's signature certificate to the updater. Wardle points out that this makes it possible to create updaters with elevated privileges.



Zoom's update installer first moves the packages to be installed to the directory of the user with root privileges. Normally, users without root privileges cannot add, remove, or modify files in this directory. However, on

Unix systems like macOS, there is a specification that ``if an existing file is moved from another location to a root-privileged directory, it retains the same read and write permissions as before''. So normal users can still modify the file. By exploiting this feature and a bug in the Zoom installer, it is possible to elevate user accounts to root privileges.

A privilege escalation attack exploiting this bug requires that the attacker already has access to the system being attacked. However, even with a limited user account, an attacker can gain administrator or root privileges through a privilege escalation attack, allowing them to add, delete, or modify arbitrary files on the victim machine. It will be like this.



Wardle notified Zoom of a vulnerability in the installer in December 2021. It seems that Zoom released a patch to fix the vulnerability a few weeks before DEF CON was held. However, when we analyzed the patch fix by Zoom in detail, it seems that there was another small error that left the vulnerability open to exploitation.

Wardle said, ``Not only have we reported the existence of the bug to Zoom, but we have also reported the mistake and how to fix the code.'' ``There is a vulnerability in Zoom, which is available for all Mac versions, and such an application It was really frustrating to have to wait six to eight months for information disclosure, even though I understand that it is installed on many users' Macs.'

in Software,   Security, Posted by logu_ii