Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Details Disclosed for Zoom Exploit That Earned Researchers $200,000

Researchers have disclosed the details of a Zoom exploit that could have allowed malicious actors to achieve remote code execution without user interaction.

Researchers have disclosed the details of a Zoom exploit that could have allowed malicious actors to achieve remote code execution without user interaction.

The exploit was demonstrated on April 7 at the 2021 Pwn2Own hacking competition by Daan Keuper and Thijs Alkemade from Computest. The researchers earned $200,000 for demonstrating that the exploit could be used to remotely execute arbitrary code on the targeted system.

Exploits demonstrated at Pwn2Own are reported to the vendors and Zoom immediately started working on a patch. According to an advisory published by Zoom on August 13, the most severe of the flaws leveraged in the exploit chain used by Keuper and Alkemade, tracked as CVE-2021-34407, was patched in the Zoom Client for Meetings version 5.6.3, which the company released on April 19. In addition, a server-side fix was implemented just a few days after Pwn2Own.

The Zero Day Initiative (ZDI), which organizes Pwn2Own, on August 17 made public advisories for each of the three vulnerabilities chained at the contest to hack Zoom. In addition to CVE-2021-34407, which is a high-severity heap-based buffer overflow that allows remote code execution, the exploit chain involved a directory traversal bug related to the processing of GIPHY messages, and an information disclosure issue related to Zoom Marketplace URLs.

In order to trigger the exploit, the attacker would need to send a series of specially crafted messages to the targeted user. While the exploit would be triggered automatically — without the user clicking on anything — Zoom and the researchers noted that for the exploit to work, the targeted user needed to accept an external connection request or be in the same multi-user chat as the victim.

The Computest researchers on Monday published a technical write-up detailing the vulnerabilities and how they were discovered, in an effort to help others who might want to conduct similar research in the future.

Advertisement. Scroll to continue reading.

“In total we spent around 1.5 weeks from the start of our research until we had the main vulnerability of our exploit,” they explained. “Writing and testing the exploit itself took another 1.5 months, including the time we needed to read up on all Windows internals we needed for our exploit.”

Related: Details Disclosed for Critical Vulnerability in Sophos Appliances

Related: Zoom Is 16th CVE Numbering Authority Appointed in 2021

Related: Zoom Patches Two Serious Vulnerabilities Found by Cisco Researchers

Related: Zoom Working on Patch for Code Execution Vulnerability in Windows Client

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

Mark Carter has been appointed Chief Information Security Officer at Socure.

Spektrum Labs has named Mark Cravotta Chief Operating Officer.

More People On The Move

Expert Insights

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.