Security researchers report that the Zoom installer has a bug that can get root privileges on macOS – GIGAZINE

Patrick Wardle, a prominent researcher in the field of macOS security, is a hacking conferenceDEF CONAmong them, due to a bug in the Zoom installer for macOS and macOSroot privilegesIndicates that it is now possible to obtain

Zoom installer lets researcher hack his way to root on macOS – The Verge
https://www.theverge.com/2022/8/12/23303411/zoom-defcon-root-access-privilege-escalation-hack-patrick-wardle

Mr. Wardle is the founder of the Objective-See Foundation, a nonprofit that creates open source security tools for macOS, and he’s the one who pointed out that they’re sent to the server.

Many popular Mac applications distributed on the App Store collect user data and send it to an external server – GIGAZINE

Mr. Wardle points out an error in the Zoom installer.

The Zoom installer, a popular video conferencing tool, requires administrator privileges to perform these actions when installing or removing the Zoom app. When the installer installs the Zoom app for the first time, it asks the user to enter a password, but according to Mr. Wardle, the auto-update function of the installer runs constantly in the background with administrator privileges.

When Zoom distributes an app update, the update function installs the new package after its cryptographic signature has been verified by Zoom. However, there was a bug in the way the ciphersignature verification process was implemented, so it appears that the cipher signature verification can be cleared simply by adding a file with the same name as Zoom’s signature certificate to the updater. Wardle points out that this makes it possible to create upgraders with high privileges.

Zoom’s update installer first moves the packages to be installed to the user directory with root privileges. Normally, users without root privileges cannot add, remove or modify files in this directory. But like macOSUnixThe system has a specification that “if an existing file is moved from another location to a directory with root privileges, it retains the same read and write permissions as before”. Therefore, normal users can still modify the file. By exploiting this feature and bug in the Zoom installer, it is possible to elevate user accounts to root privileges.

exploit this bugFranchise escalation attack, the attacker must already have access to the system in order to be attacked. However, even with a restricted user account, an attacker can gain administrator or root privileges through a privilege escalation attack, allowing them to add, delete, or modify arbitrary files on the victim’s machine. It will be like this.

Wardle notified Zoom of a vulnerability in the installer in December 2021. It appears that Zoom released a patch to fix the vulnerability a few weeks before DEF CON was held. However, when we analyzed the patch fix by Zoom in detail, it appeared that there was another small bug that left the vulnerability open to exploitation.

“We not only informed Zoom that the error existed, but we also reported the error and how to fix the code, Wardle said. “There is a vulnerability in Zoom, it is available for all versions of Mac, and such an app It was really frustrating having to wait six to eight months for the information to be revealed, although I understand it is installed on many private Macs Users”.