Get best of the week

They are among us: exploring vulnerabilities and malicious code in Zoom for Windows

Who added this “raisin” to Zoom?


Recently, one often hears the following remarks:

“We / I do not use Zoom for confidential conversations”



But what if someone besides the privacy of the Zoom session cares about the integrity of the data on his device? And not in vain, because, as it turned out, there are reasons for this. Not only Zoom conference data is at stake, but also the integrity and confidentiality of everything that a conference participant saves on his computer.

So, I spent two evenings (a total of about 5-6 hours) dissecting Zoom for Windows (version 4.6.11 (20559.0413)). I was engaged only in static analysis, not observing the application in real time. But that was enough for me. Everything that I found is described in this article. But I'm sure this is just the tip of the iceberg. Imagine what a security analyst with enough time and budget can dig up ... And I deliberately looked for those vulnerabilities that could be used to disclose confidential information to third parties (for example, information leakage on Facebook).

I conducted a very superficial study and did not go into details. I did this in my free time and I don’t intend to do this anymore. I set a clear goal - to assess the quality of the code in terms of security and the presence (or absence) of support for the software included in the Zoom application (which is especially necessary when using a large number of third-party libraries).

Archaic 32-bit application


Seriously? But why?! Microsoft added support for 64-bit applications and various security enhancements for 64-bit processors, starting with Windows 7. This was in 2009, eleven years ago. And Windows 7 itself has long been outdated (since January 14, 2020, this OS is no longer supported). But no, in 2020 Zoom still only releases 32-bit Windows applications.

zData.dll


zData.dll uses a component with vulnerabilities. The deprecated OpenSSL 1.0.2 library (dated March 27, 2018) is known for its vulnerabilities that no one will fix.

Since December 2019, work on OpenSSL 1.0.2 has been discontinued. Here is what its developers write :

“According to current and future releases, the OpenSSL project made the following decisions:

  • The next version of OpenSSL will be 3.0.0.
  • Version 1.1.1 will be supported until 2023-09-11 (LTS).
  • Version 1.0.2 is no longer supported. Enhanced paid support is now available .
  • Versions 1.1.0, 1.0.1, 1.0.0 and 0.9.8 are no longer supported. "

Or here :



Combining SQL Statements


  • CWE-89 : Incorrect neutralization of special elements of SQL commands (SQL injection)

In zData.dll, the backend is used to store various session and configuration data in an encrypted SQLite database. In some cases, the SQL statements in the code seem to be simply concatenated as shown below:

Example 1:



Example 2:



Depending on the implementation of the + = operator, zData.dll could potentially create SQL injection vulnerabilities that could lead to information disclosure or arbitrary code execution on Zoom end-user devices.

Oh, excuse me ... but this, by chance, is not the key for cryptographic decryption of an encrypted SQLite database?



I don’t know for sure, actually :-) However, encryption of the database, in principle, does not interfere with access to the confidential data stored there. It seems that Zoom uses the SQLite database to store history records, logs, and possibly also to store sensitive data such as passwords and / or cryptographic keys. I did not go deep into using SQLite as a data container; I leave this fun to more curious readers.

Zzhost.dll


Buffer Overflow Threat


Looking through the binary import tables, I came across a call to sprintf (). But you know that sprintf () is a potentially dangerous function, and compilers give warnings if you use it. It seems that such warnings do not bother Zoom developers.

  • CWE-120 : copying the contents of the buffer without first checking the size of the input data (in the logging function)
  • CWE-676 : Using Potentially Dangerous Functions (sprintf)



To successfully exploit this vulnerability, it is necessary to control the contents of the source buffer. I have not tried to do this myself. However, since this is a logging (i.e., logging) function, attackers could theoretically affect the contents of the original buffer. Once again, I myself did not check if this is actually possible. But even the very fact of the occurrence of such an opportunity and ignoring warnings about the dangers of using functions is a very bad practice. Developers! Do not do that!

zCrashReport.exe


Saving Windows registry keys


The Windows registry contains quite important information - especially when we access it through a process with privileged rights.

I found this:



“Dumping registry keys” sounds like a malicious function to me, so I tried to find out if it really saves the keys and values ​​of the Windows registry. Yes, it is, I found the corresponding fragment in the code:



Screen capture in Crash Reporter


zCrashReport.dll offers us the following functions:



In crashReport.exe, the Windows API functions are used to capture the screen and windows.



Do you think Zoom sends the captured data from the screen to its servers? If so, then this can be regarded as malicious code.

Airhost.exe


Components with Vulnerabilities


Airhost.exe uses libcurl 7.36.0 (released March 26, 2014), in which 52 vulnerabilities were found . Well, curl, in turn, includes libssh2, which was also noted by a number of vulnerabilities:




These vulnerabilities, fortunately, do not pose a threat specifically to Zoom users. However, why use outdated and vulnerable libraries if you care about your code at all? It’s easier to use the latest version than to guess if the next vulnerability found will affect your application, is it?

Hard Key Encryption / Decryption


Airhost.exe uses the constant as the symmetric encryption key: The SHA256 output line “0123425234234fsdfsdr3242” is used to encrypt / decrypt AES-256 via OpenSSL.



And the line “3423423432325249” is used as initialization vector IV.



Vulnerabilities zWebService.dll and tp.dll


zWebService.dll and tp.dll use libcurl 7.55.1. Even though this library is not as old as libcurl 7.36.0 (which is used in airhost.exe), it is still a bit outdated. If end-user security were truly important to developers, they would examine this list of vulnerabilities:



Vulnerabilities turbojpeg.dll


Turbojpeg.dll uses libjpeg-turbo 2.0.0 (build 20190715). Here is a list of vulnerabilities in the remote code execution class turbojpeg / libjpeg-turbo:



What's next?


At this point, I stopped digging into the insides of Zoom for Windows. For those who want to continue, I gladly pass the baton:

sha256 checksums of Zoom 4.6.11 (20559.0413) executable files

More articles:


All Articles