Today Google Project Zero Team has published a couple of bugs that have been reported to Zoom, a video conferencing app. The zoom team has patched the issue and already released the fix.
First Bug: A Buffer Overflow vulnerability in Zoom client when processing chat messages which can be tracked as CVE-2021-34423 has been categorized as High severity with the CVSS score of 7.3. This can potentially allow a malicious actor to crash the service or application, or leverage this vulnerability to execute arbitrary code.
The Zoom client uses the method ssb::conf_send_msg_req::load_from to deserialize incoming chat messages from msg_db_t instances during video calls. This method makes a call to ssb::i_stream_t<ssb::msg_db_t,ssb::bytes_convertor>::read_str_with_len, which reads a string into a pre-allocated buffer. However, read_str_with_len does not check the length of the buffer, which is allocated based on a separate length readout of the msg_db_t instance.- says Google researcher
This means that if an attacker sends a malformed chat message, they can overflow the allocated buffer, controlling the overflow contents, the length of the overflow, as well as the allocation size.
Successful exploitation of the bug causes the target to crash or otherwise show signs of memory corruption.
Second Bug: This second one is a Process memory exposure bug (CVE-2021-34424) again found on Zoom client (for Android, iOS, Linux, macOS, and Windows before version 5.8.4) which is categorized as Medium severity with CVSS score 5.3. The vulnerability potentially allowed for the exposure of the state of process memory. This issue could be used to potentially gain insight into arbitrary areas of the product’s memory.
There is a function in the MMR server that retrieves a ssb::variant_t from an incoming message with the name "user_name" (located at address 0x522DA0 in version 4.6.20210429.54). It converts the variant i8 array into a std::string without checking whether it is null terminated. As a result, the returned string can contain data from memory in the server. - says Google researcher