Google Details Two Zero-Day Bugs Reported in Zoom Clients and MMR Servers

An exploration of zero-click attack surface for the popular
video conferencing solution Zoom has yielded two previously
undisclosed security vulnerabilities that could be exploited to
crash the service, execute malicious code, and even leak arbitrary
areas of its memory.

Natalie Silvanovich of Google Project Zero, who discovered^[1]
and reported the two^[2]
flaws^[3]
last year, said the issues impact both Zoom clients and Multimedia
Router (MMR) servers, which transmit audio and video content
between clients in on-premise deployments^[4].

The weaknesses have since been addressed by Zoom as part of
updates^[5]
shipped on November 24, 2021.

The goal of a zero-click attack is to stealthily gain control
over the victim’s device without requiring any kind of interaction
from the user, such as clicking on a link.

While the specifics of the exploit will vary depending on the
nature of vulnerability being exploited, a key trait of zero-click
hacks is their ability not to leave behind traces of malicious
activity, making them very difficult to detect.

The two flaws identified by Project Zero are as follows —

• CVE-2021-34423^[6] (CVSS score: 9.8) – A
  buffer overflow^[7]
  vulnerability that can be leveraged to crash the service or
  application, or execute arbitrary code.
• CVE-2021-34424^[8] (CVSS score: 7.5) – A
  process memory exposure flaw that could be used to potentially gain
  insight into arbitrary areas of the product’s memory.

By analyzing the RTP (Real-time Transport Protocol) traffic used
to deliver audio and video over IP networks, Silvanovich found that
it’s possible to manipulate the contents of a buffer that supports
reading different data types by sending a malformed chat message,
causing the client and the MMR server to crash.

Furthermore, the lack of a NULL^[9]
check — which is used to determine the end of a string — made it
possible to leak data from the memory by joining a Zoom meeting via
a web browser.

The researcher also attributed the memory corruption flaw to the
fact that Zoom failed to enable ASLR^[10], aka address space
layout randomization, a security mechanism designed to increase the
difficulty of performing buffer overflow attacks.

“The lack of ASLR in the Zoom MMR process greatly increased the
risk that an attacker could compromise it,” Silvanovich said. “ASLR
is arguably the most important mitigation in preventing
exploitation of memory corruption, and most other mitigations rely
on it on some level to be effective. There is no good reason for it
to be disabled in the vast majority of software.”

While most video conferencing systems use open-source libraries
such as WebRTC^[11] or PJSIP^[12] for implementing
multimedia communications, Project Zero called out Zoom’s use of
proprietary formats and protocols as well as its high licensing
fees (nearly $1,500) as barriers to security research.

“Closed-source software presents unique security challenges, and
Zoom could do more to make their platform accessible to security
researchers and others who wish to evaluate it,” Silvanovich said.
“While the Zoom Security Team helped me access and configure server
software, it is not clear that support is available to other
researchers, and licensing the software was still expensive.”