“For a successful attack, you don’t even need to interact directly with the user. An attacker simply needs to be able to send messages to the victim via the XMPP protocol in Zoom chat, ” Fratric said in detailing the vulnerability chain.
By examining differences in XMPP message parsing between the Zoom server and clients, Fratric was able to uncover a chain of vulnerabilities that allowed attackers to remotely execute malicious code. Deciding to recreate the attack, the researcher sent a specially crafted message, used a man-in-the-middle attack, and then was able to connect the “victim” to his server, which provides an old version of the Zoom client from mid-2019.
"The installer for this version is still properly signed, but does not perform any security checks on the installation cab file," Fratric added. "To demonstrate how the attack works, I replaced Zoom.exe in the cab file with a binary file that opened the standard Windows calculator, and immediately after installing the "update" I saw the calculator running."
In a security bulletin published last week, Zoom said a researcher had also found a vulnerability that could allow user session cookies to be sent to a non-company domain. This vulnerability allowed attackers to carry out spoofing attacks.
There are four vulnerabilities that Zoom has fixed since Fratric's report:
| CVE ID | Title | Severity |
|---|---|---|
| CVE-2022-22784 | Improper XML Parsing in Zoom Client for Meetings | High |
| CVE-2022-22785 | Improperly constrained session cookies in Zoom Client for Meetings | Medium |
| CVE-2022-22786 | Update package downgrade in Zoom Client for Meetings for Windows | High |
| CVE-2022-22787 | Insufficient hostname validation during server switch in Zoom Client for Meetings |
High |
Three other vulnerabilities affect Android, iOS, Linux, macOS, and Windows.
A Google Project Zero researcher discovered the vulnerabilities in February, Zoom fixed them on the server-side that same month, and released updated clients on April 24.