[MacTUG] Zoom Remote Support Exploit on MacOS

Trevor Bain etbain at uwaterloo.ca
Mon Jul 15 18:48:57 EDT 2019 

Apparently Apple has taken matters into their own hands on this one:

https://www.theverge.com/2019/7/10/20689644/apple-zoom-web-server-automatic-removal-silent-update-webcam-vulnerability


Other Zoom "white-label" platforms are similarly vulnerable (e.g. RingCentral and Zhumu):
https://www.theverge.com/2019/7/15/20695388/zoom-video-security-flaw-ringcentral-zhumu


--
Trevor Bain
Faculty of Applied Health Sciences
University of Waterloo
519-888-4567 x43738
etbain at uwaterloo.ca
--



________________________________
From: mactug-bounces at lists.uwaterloo.ca <mactug-bounces at lists.uwaterloo.ca> on behalf of Stephen Markan <smarkan at uwaterloo.ca>
Sent: July 10, 2019 10:51 AM
To: faccus at lists.uwaterloo.ca; IST-CRS; MacTUG ‎[mactug_mailman.uwaterloo.ca]‎; sec-wg at lists.uwaterloo.ca
Cc: soc at uwaterloo.ca
Subject: [MacTUG] Zoom Remote Support Exploit on MacOS

The information below was brought to our attention from Mike Patterson of IST Security Operations Centre and we are sharing with IT groups that may need to assist end-users.

An exploit for the Mac version of Zoom.us<http://Zoom.us> has been made public.
Video Conferencing, Web Conferencing, Webinars, Screen Sharing - Zoom<http://zoom.us/>
zoom.us
Zoom is the leader in modern enterprise video communications, with an easy, reliable cloud platform for video and audio conferencing, chat, and webinars across mobile, desktop, and room systems. Zoom Rooms is the original software-based conference room solution used around the world in board, conference, huddle, and training rooms, as well as executive offices and classrooms. Founded in 2011, Zoom helps businesses and organizations bring their teams together in a frictionless environment to get more done. Zoom is a publicly traded company headquartered in San Jose, CA.


If you don't know what Zoom is, it is similar Cisco WebEx.  Most often it is used by vendors to provide tech support of the "let me type on your keyboard for you".

The short version for remediation is
1) If you have zoom installed, upgrade immediately.
2) If you've ever had zoom installed, but deleted it, install the latest version and then uninstall it to get rid of any vestiges.

The TL:DR information is
The exploit works as follows:
I send you a link (or embed a hidden iframe in a site) that will automatically launch the Zoom client and, depending on how you've used it before, perhaps automatically enable your camera and/or microphone. If you've deleted the application but not completely cleansed it from your system, it can also force a reinstall of the client.

Zoom is downplaying the significance of this as the user will be prompted to start the client. However people will blindly click ok or yes to things that pop up. A fix has been released.
It's also likely that the associated local webserver Zoom installs - and persists until manually killed - has other security vulnerabilities yet to be disclosed.

Uninstalling the application is trivial for a Unix admin, not so much for people who aren't. The first step is what everybody knows, drag out of /Applications into Trash. Then you need to kill the webserver. There's two ways to do this, one requires a reboot.

Non-reboot way:
open terminal, run:
lsof -i : 19421
and you should get a single line of output; there will be a command line, and then a number, which is the PID. You then type
kill <pid number>
Then
rm -rf .zoomus

Reboot way:
open terminal, do the rm command, then reboot.

Further details are here:
https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5
[https://miro.medium.com/max/1200/1*H5TvwgtzyNBvszjq2HG5mQ.png]<https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5>

Zoom Zero Day: 4&#43; Million Webcams & maybe an RCE? Just get them to visit your website!<https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5>
medium.com
As far as I can tell this vulnerability also impacts Ringcentral. Ringcentral for their web conference system is a white labeled Zoom system. According to Zoom, they will have a fix shipped by…



If you have an questions about this vulnerability please contact the Security Operations Centre at x41125 or email soc at uwaterloo.ca<mailto:soc at uwaterloo.ca>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.uwaterloo.ca/pipermail/mactug/attachments/20190715/d1f1f94d/attachment.html>

More information about the MacTUG mailing list