Tenable Research Advisory: Zoom Unauthorized Command Execution (CVE-2018-15715)

David Wells

Tenable Researcher David Wells discovered a vulnerability in Zoom’s Desktop Conferencing Application that allows an attacker to hijack screen controls, spoof chat messages or kick and lock attendees out of meetings. Zoom has released updates for macOS, Windows and Linux.

  • What you need to know: Tenable Research has discovered a vulnerability in Zoom’s Desktop Conferencing Application.
  • What’s the attack vector? Unauthorized command execution via Zoom’s Event messaging pump.
  • What’s the business impact? Attackers could hijack control of presenters’ desktops, spoof chat messages and kick attendees out of Zoom calls.
  • What’s the solution? Zoom has released an update for the Desktop Conferencing Application.

Background

Tenable has discovered a vulnerability, CVE-2018-15715, in Zoom's Desktop Conferencing Application that allows for execution of unauthorized Zoom commands like spoofing chat messages, hijacking screen controls and kicking attendees off calls and locking them out of meetings. This vulnerability could be exploited in a few scenarios: 1) a Zoom meeting attendee could go rogue; 2) an attacker on the local access network (LAN) or 3) a remote attacker over wide area network (WAN) could theoretically use this vulnerability to hijack an ongoing Zoom meeting. We weren’t able to completely test scenario three, which is more complicated and will be discussed in detail later.

Analysis

This bug is due to the fact that Zoom's internal messaging pump (util.dll!ssb::events_t::loop) dispatches both client User Datagram Protocol (UDP) and server Transmission Control Protocol (TCP) messages (from util.dll!ssb::select_t::loop) to the same message handler in ssb_sdk.dll. This allows an attacker to craft and send UDP packets which get interpreted as messages processed from the trusted TCP channel used by authorized Zoom servers.

This attack not only can be carried out by attendees of the Zoom meeting, but any remote attacker that is able to craft a spoofed UDP packet, as they can then seamlessly slip into the existing UDP session for an ongoing Zoom meeting and trigger this bug. This impacts both one-on-one (P2P) meetings as well as group meetings streamed through Zoom servers. It’s also worth mentioning that an attacker could theoretically exploit this vulnerability over WAN if they have the ability to spoof a public IP source in a UDP packet. In this scenario, the remote attacker could exploit this vulnerability by spoofing the WAN IP and trivially brute force the source port the victim is using for the UDP session with the Zoom server while the meeting is live.

This vulnerability allows an attacker (over LAN or WAN) or rogue attendee to:

  • Hijack screen controls: Bypassing screen control permissions during remote attendee screen share and sending keystrokes and mouse movements to completely control desktop.
  • Spoof chat messages: Sending chat messages impersonating other users on conference.
  • Kick attendees off the conference: Kicking and locking out attendees even while not meeting host.
  • By exploiting this vulnerability, an attacker could not only hijack the presenter’s screen and open the calculator (as shown in the video linked below), but also could download and execute malware. The practical execution of such an attack would have to overcome UDP packet loss (losing keystroke packets) and interruption of keystroke sequence by the victim.

    Proof of concept

    Wells has developed a proof of concept (PoC) for this vulnerability. In the video PoC below, you can see a rogue meeting attendee sending UDP packets to forcibly take control of the presenter’s screen and open the calculator.

    Business impact

    Conferencing services like Zoom are becoming ubiquitous in enterprises as teams are distributed around the world. According to Zoom’s website, over 750,000 companies use the enterprise video communication platform. Exploitation of a vulnerability like this could be extremely disruptive and poses serious reputational risk.

    Solution

    Zoom patched its servers to block part of the attack vector and released version 4.1.34814.1119 to fix the vulnerability in Windows and version 4.1.34801.1116 for macOS.

    Updated December 3: Zoom has released version 2.5.146186.1130 for Linux to address this vulnerability.

    Identifying affected systems

    We have verified this vulnerability affects the following Zoom versions:

    • macOS 10.13, Zoom 4.1.33259.0925
    • Windows 10, Zoom 4.1.33259.0925
    • Ubuntu 14.04, Zoom 2.4.129780.0915

    Tenable has released a Nessus plugin to identify vulnerable systems, which can be found here for Windows and here for macOS.

    Additional information

    Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

    Read more >

    Published on Nov 29, 2018

    People also viewed

    Customer Success Manager - ANZ

    North Sydney Australia Pacific Highway, North Sydney, Australia, NSW 2060 Customer Success Sales
    Your Role:Tenable has an immediate need for a Customer Success Manager who will be responsible for establishing and driving sales activities for our software products within a designated geography.Companies today are grappling with an ever expandi...

    Finance & Investor Relations Intern

    Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Finance Internships
    Your Role:Tenable has a Finance and Investor Relations Intern opportunity for college students entering their senior year or actively enrolled in an MBA program. If you're looking for a chance to apply what you're learning in your degree program, ...

    Field and Channel Marketing Manager, Nordics and Benelux

    Uxbridge United Kingdom Furzeground Way , Stockley Park, Uxbridge, United Kingdom, UB11 1EZ Field & Channel Marketing Marketing
    Your Role:Tenable seeks an experienced field and channel marketing manager to generate demand for Tenable products and solutions across our Scandinavia and Benelux territories.  The successful candidate will have demonstrated experience creating, ...

    Senior Data Engineer

    Dublin Ireland Campshires, Sir John Rogerson's Quay, Dublin, Ireland Research Engineering
    Your Role:Data Engineers here are involved in designing, developing and maintaining systems for data analysis, transformation, modelling and visualisation. We work directly with the data scientists to develop cutting edge uses of the data we colle...

    Technical Support Manager

    Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Technical Support Technical Support
    Your Role:Tenable is seeking a high energy, results oriented customer advocate capable of motivating an already exceptional support team to even higher levels of customer satisfaction. Our current global rating is over 93% satisfaction and we expe...

    Cloud Security Intern

    Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Information Security Internships
    Your Role: The Cloud Security Intern will help the Tenable secure their use of cloud systems across the company.  The intern will develop, implement and monitor security solutions for cloud that assess risk, keep Tenable data safe and bake in secu...

    We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.