Zoom chat messages can infect devices with malware • The Register

Zoom has patched a security flaw in its video conferencing software that an attacker could exploit with chat messages to potentially execute malicious code on a victim’s device.

The bug, identified as CVE-2022-22787, received a CVSS severity score of 5.9 out of 10, making it a medium-severity vulnerability. This affects Zoom client for meetings running on Android, iOS, Linux, macOS and Windows systems before version 5.10.0, and users should download the latest version of the software to protect against this arbitrary code execution vulnerability from a distance.

The result is that someone who can send you chat messages could trick your vulnerable Zoom client application into installing malicious code, such as malware and spyware, from an arbitrary server. Exploiting this is a bit tricky so crooks can’t jump on it, but you still need to update your app.

As Zoom explained in a security bulletin, these earlier software versions fail “to properly validate the hostname when requesting a server change.”

Google’s Project Zero bug hunter Ivan Fratric found the flaw and reported it to the video conferencing giant in February. As Fratric explained in a report made public today, no user interaction is required to launch an attack, which he described as “XMPP stanza smuggling.”

“The only capability an attacker needs is to be able to send messages to the victim via Zoom chat over the XMPP protocol,” Fratric noted.

XMPP is the messaging protocol used by Zoom for its chat functionality. It works by sending short pieces of XML called stanzas over a stream connection. However, it uses the same connection to send client messages as it does to send control messages from the server.

The vulnerability exploits inconsistencies between XML parsers in Zoom’s client and server software to “pass” malicious XMPP stanzas to the victimized client, Fratric wrote.

XMPP stanza smuggling can be used for a variety of nefarious purposes – from spoofing messages to believe they are from another user, to sending control messages that will be accepted as if they were from the server. However, Frantric noted that the “most impactful vector” in the stanza smuggling vulnerability may allow an attacker to exploit the cluster switch.

Sending a very precise stanza, which he detailed, results in the creation of a ClusterSwitch task in the Zoom client with an attacker-controlled web domain as a parameter.

Building a man-in-the-middle (MITM) server to exploit this bug also revealed a bunch of data from the /clusterswitch endpoint, including a list of domains for various Zoom services.

“Since the attacker is already in the man-in-the-middle position, he can replace any of the domains with his own, acting as a reverse proxy and intercepting communications,” Fratric wrote.

For this proof of concept, he changed the domain used for Zoom’s web server to a server he controlled, which allowed him to see and modify traffic between the client and Zoom’s web server. “This, in turn, allowed me to MITM the client update process and move on to executing arbitrary code,” Fratric explained.

In short: update if you haven’t already. ®

Source link