Zoom installer lets researchers crack root access on macOS

Updated Aug. 15 at 10:55AM ET: Zoom has updated its Mac application to address the vulnerability, version 5.11.5, Now available for download .

Security researchers have found a way for attackers to exploit the macOS version of Zoom to gain access to the entire Operating system access rights. Mac security expert Patrick Wardle’s presentation Friday at the Def Con hacker conference in Las Vegas. Zoom has fixed some of the bugs involved, but the researchers also raised an as-yet-unpatched vulnerability that still affects systems today.

The vulnerability works through an installer for the Zoom application that needs to run with special user rights to install or remove the main Zoom from the computer application. Although the installer required the user to enter a password when the app was first added to the system, Wardle found that the auto-update feature then continued to run in the background with superuser privileges.

When Zoom releases an update, the Updater feature will install the new package after checking that it has been cryptographically signed by Zoom. But there’s a bug in the way the check method is implemented, which means that providing the updater with any file with the same name as the Zoom signing certificate is enough to pass the test — so an attacker can replace any kind of malware program and let it run. Updater with elevated privileges.

The result is a privilege escalation attack, assuming the attacker has gained initial access to the target system, and then exploits the vulnerability to gain more High-level access rights. In this case, the attacker starts with a limited user account but escalates to the most powerful type of user — called “superuser” or “root” — that allows them to add, delete, or modify any file on the machine .

Wardle is the founder of the Objective-See Foundation, a nonprofit that creates open source security tools for macOS . Earlier, at the Black Hat cybersecurity conference the same week as Def Con, Wardle detailed the for-profit company’s unauthorized use of algorithms extracted from his open-source security software.

In accordance with responsible disclosure protocols, Wardle notified Zoom of the vulnerability last December. To his dismay, he said that Zoom’s initial fix contained another bug, meaning the bug could still be exploited in a slightly more roundabout way, so he disclosed the second bug to Zoom and waited eight months for it to be released Research.

“It’s a bit of a problem for me because not only did I report the bug to Zoom, but the bug and how Fix the code,” Wardle told The Verge on the phone before the conversation. “So, to wait six, seven, eight months to know that all Mac versions of Zoom are present on the user’s computer, which is really frustrating.”

A few weeks before the Def Con event, Wardle said that Zoom released a patch that fixed the bug he initially found. But on closer analysis, another small bug means the vulnerability can still be exploited.

To install a program in an update of a new version, the package to be installed is first moved to the one owned by the “root” user Directory. Typically, this means that users without root privileges cannot add, delete, or modify files in this directory. But due to the subtleties of Unix systems (macOS is one of them), when an existing file is moved to the root directory from another location, it retains the same read and write permissions as before. So in this case it can still be modified by normal users. And because it can be modified, malicious users can still swap the contents of that file with a file of their own choosing and use it to become root.

While the bug currently exists in Zoom, Wardle says it’s easy to fix and he wants to talk about it publicly It will “fuel” and let the company deal with it as soon as possible.

on The Verge In a statement , Matt Nagel, Zoom’s head of security and privacy communications, said: “We are aware of the newly reported vulnerability in the macOS automatic updater and are working to resolve the issue.”