One Article Review
| Source |  ProjectZero |
|---|---|
| Identifiant | 8221937 |
| Date de publication | 2022-01-18 09:28:18 (vue: 2022-11-25 18:05:33) |
| Titre | Zooming in on Zero-click Exploits |
| Texte | Posted by Natalie Silvanovich, Project Zero Zoom is a video conferencing platform that has gained popularity throughout the pandemic. Unlike other video conferencing systems that I have investigated, where one user initiates a call that other users must immediately accept or reject, Zoom calls are typically scheduled in advance and joined via an email invitation. In the past, I hadn’t prioritized reviewing Zoom because I believed that any attack against a Zoom client would require multiple clicks from a user. However, a zero-click attack against the Windows Zoom client was recently revealed at Pwn2Own, showing that it does indeed have a fully remote attack surface. The following post details my investigation into Zoom. This analysis resulted in two vulnerabilities being reported to Zoom. One was a buffer overflow that affected both Zoom clients and MMR servers, and one was an info leak that is only useful to attackers on MMR servers. Both of these vulnerabilities were fixed on November 24, 2021. Zoom Attack Surface Overview Zoom’s main feature is multi-user conference calls called meetings that support a variety of features including audio, video, screen sharing and in-call text messages. There are several ways that users can join Zoom meetings. To start, Zoom provides full-featured installable clients for many platforms, including Windows, Mac, Linux, Android and iPhone. Users can also join Zoom meetings using a browser link, but they are able to use fewer features of Zoom. Finally, users can join a meeting by dialing phone numbers provided in the invitation on a touch-tone phone, but this only allows access to the audio stream of a meeting. This research focused on the Zoom client software, as the other methods of joining calls use existing device features. Zoom clients support several communication features other than meetings that are available to a user’s Zoom Contacts. A Zoom Contact is a user that another user has added as a contact using the Zoom user interface. Both users must consent before they become Zoom Contacts. Afterwards, the users can send text messages to one another outside of meetings and start channels for persistent group conversations. Also, if either user hosts a meeting, they can invite the other user in a manner that is similar to a phone call: the other user is immediately notified and they can join the meeting with a single click. These features represent the zero-click attack surface of Zoom. Note that this attack surface is only available to attackers that have convinced their target to accept them as a contact. Likewise, meetings are part of the one-click attack surface only for Zoom Contacts, as other users need to click several times to enter a meeting. That said, it’s likely not that difficult for a dedicated attacker to convince a target to join a Zoom call even if it takes multiple clicks, and the way some organizations use Zoom presents interesting attack scenarios. For example, many groups host public Zoom meetings, and Zoom supports a paid Webinar feature where large groups of unknown attendees can join a one-way video conference. It could be possible for an attacker to join a public meeting and target other attendees. Zoom also relies on a server to transmit audio and video streams, and end-to-end encryption is off by default. It could be possible for an attacker to compromise Zoom’s servers and gain access to meeting data. |
| Envoyé | Oui |
| Condensat | $1500 &out &this char char* int int* long short short* analyzing moreover which *len *mem 0x1fff 136 2021 20211128 34423 34423 and 34424 34424 and >invalid >str able about above accept access accessed accessible accounts accuracy actual added addition address adjacent advance affected affects afl after afterwards against aggressive alike alkemade all allocate allocated allocating allocation allocations allow allows almost also alters amount analysis analyzed analyzing android another any appear appeared appears application applications appreciate approach are area areas arena arenas arguably around array arrays ascertain asked aslr assessment assigned assistance attack attacker attackers attempt attempted attempts attendees audio authentication automate automation available backoff barriers based basic basically became because become been before behavior being being reported believe believed best between biggest binaries binary bit bits bordered both bounds branch browser browsers buffer bug bug in bugs but bypass bypassing byte bytes c++ call call: called calling calls can can’t case cases cast cause caused centos certain challenges challenging chance changes channels char character checked checks choice chunks class classes clear click clicks client clients closed code codec combine command commonly communication companies comparable compare comparing compiled complete completed complex compromise concern concerning conclusion conference conferencing configuration configure confused confusion connection consent consider consist consume consuming contact contacts contain contained contains content contents continue contributed contribution control controllable controlled controller conversations convert converted convince convinced copied copy correctly corresponds corrupt corrupted corruption could couldn’t coverage crash crashes create creating criteria culminates curious custom customers cve cxmppimsession::handlemessage daan data data; days deal decided declarations dedicated default define defined deployment deployments deserialization deserialize deserialized deserializes details determine develop developers device dialing did didn’t different difficult difficulty directed disabled discovered discussed display displayed does don’t downsides dropping drsancov due during each earlier easier effective effort either elements email enabled enabling encountered encrypt encrypted encryption end ended ending enhanced enough enter entry entrypoint error especially evaluate even events eventually ever every exactly example excellent executing execution execv execv with exist existing exists expected expensive exploit exploitability exploitation exploiting exploits exponential expressly extend extending extension extensions extracted factors fair fairly fake fast fastbins fastcall feature featured features fees fewer field figure figured filtering final finally find finished first five fixed focused focusing following follows fopen force formats forwarded forwarding forwards found four free freed freeing frequent frida from from and from method from methods from ssb::conf full fully function functionality further fuzz fuzzed fuzzers fuzzing gain gained get gets glibc gloox gloox’s going good got great greatly group groups guess guided had hadn’t handle handled handlemessage with handling has have headers heap help helped helpful honor hooked hooking hoping host hosts hosts: hour how however huge hundreds i16 i16; i32 i32; i64*; i64; i8; ida idea identical immediate immediately immensely impact impacted implement implementation implementations implemented implementing implements importa |
| Tags | Vulnerability Guideline |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.