Members of Cisco’s Talos threat intelligence and research group have identified two vulnerabilities in the Zoom client application that can allow a remote attacker to write files to the targeted user’s system and possibly achieve arbitrary code execution.
The vulnerabilities, tracked as CVE-2020-6109 and CVE-2020-6110 and both rated high severity, have been described as path traversal issues that could ultimately lead to arbitrary code execution. One impacts Zoom 4.6.10, 4.6.11 and likely earlier versions, and one of them only affects 4.6.10 and earlier. Newer versions of the video conferencing app patch the flaws.
CVE-2020-6109 is related to the way Zoom processes GIF image files. The vulnerability allows an attacker to send a specially crafted message to a user or group and it would result in a file being written to any directory to which the current user can write files.
According to Talos, the file would have a .gif extension but its content could be executable code or a script, which could aid the attacker in the exploitation of other vulnerabilities.
Exploitation of CVE-2020-6110 also involves sending a specially crafted message to a user or a group. Successful exploitation can result in a self-extracting ZIP file being written to certain folders, which could be useful for exploiting other flaws. However, Talos noted in its advisory, that an attacker can also achieve code execution, but this requires some user interaction.
In an attack scenario described by the company, the attacker sends a malicious ZIP file to the target with a name and extension that is unlikely to raise suspicion (e.g. interesting_image.jpeg). The user downloads the file, but they will not be able to open it directly due to the fact that it’s not a real image and it doesn’t have an archive extension for it to be opened by an archiving tool.
The attacker then sends the victim a code snippet via Zoom with the same file ID and the same details in the obj tag. When Zoom sees that the file has already been downloaded, it will unzip the previously downloaded file to a location picked by the attacker — this can be nearly any folder. If an attacker uses this technique to overwrite files that are at some point executed by the system, they will achieve execution of their own code.
Zoom has promised to make improvements when it comes to patching vulnerabilities reported by external parties and the company is working on revamping its bug bounty program.
Zoom is also working on implementing end-to-end encryption to offer better security and privacy, but the feature will only be available to paying customers and schools. The company revealed that free users, which are more likely to abuse its platform, will not get end-to-end encryption to allow law enforcement to conduct investigations.