An investigation of the clickless attack surface for the popular Zoom video conferencing solution revealed two Zero-Day Bugs (previously unknown security vulnerabilities) that could be exploited to crash the service, execute malicious code, and even leak arbitrary areas of its memory.
Natalie Silvanovich of Google Project Zero, who discovered and reported the two flaws last year, said the issues affect both Zoom clients and Media Router (MMR) servers that relay audio and video content between clients on on-premises deployments.
The flaws have since been fixed by Zoom as part of updates released on November 24, 2021.
The goal of a no-click attack is to stealthily take control of the victim’s device without requiring any user interaction, such as clicking on a link.
While exploit features vary depending on the nature of the vulnerability exploited, a key feature of click-free hacks is their ability to leave no trace of malicious activity, making them very difficult to detect.
Two defects identified by Project Zero:
- CVE-2021-34423 (CVSS score: 9.8) is a buffer overflow vulnerability that can be used to crash a service or application or execute arbitrary code.
- CVE-2021-34424 (CVSS score: 7.5) is a process memory disclosure error that can be used to potentially obtain information about arbitrary areas of product memory.
While analyzing real-time transport protocol (RTP) traffic used to deliver audio and video over IP networks, Silvanovich discovered that it was possible to manipulate the contents of a buffer that supports playback of various types of data by sending a malformed chat message that causes the MMR client and server to crash.
Additionally, the lack of a NULL check that is used to detect the end of a string allowed for a memory leak when joining a Zoom meeting through a web browser.
The researcher also attributed the lack of memory corruption to the fact that Zoom did not enable ASLR, i.e., address space layout randomization, a security mechanism designed to increase the difficulty of executing buffer overflow attacks.
“The absence of ASLR in the Zoom MMR process greatly increases the risk that an attacker can compromise it,” Silvanovich said. “ASLR is perhaps the most important defense against memory corruption exploits, and the effectiveness of most other defenses at some level depends on the fact that it is disabled in the vast majority of programs.”
While most videoconferencing systems use open source libraries such as WebRTC or PJSIP to implement multimedia communications, Project Zero has identified Zoom’s use of proprietary formats and protocols, as well as high license fees (nearly $1,500) as barriers to research. in the field of security.
“Closed source software creates unique security challenges, and Zoom can do more to make its platform available to security researchers and others who want to evaluate it,” Silvanovich said. “While Zoom Security helped me access and set up the server software, it’s not clear if support is available for other researchers, and software licensing was still expensive.”
