A security researcher has discovered a way in which an attacker can take advantage of the macOS version of Zoom to gain access to the entire operating system.
Details of the vulnerability were revealed in a presentation given by Mac security specialist Patrick Wardle at the Def Con hacking conference in Las Vegas on Friday.
Some bugs included by Zoom have already been fixed, but the researcher also introduced one unpatched vulnerability that still affects systems.
The exploit works by targeting the Zoom app installer, which needs to be run with special user permissions in order to install or remove the main Zoom app from the computer.
When Zoom has released an update, the update function will install the new package after verifying that it has been installed encrypted by Zoom. But a bug in how the scanning method is implemented means that giving the updater any file with the same name as Zoom’s signature certificate will be enough to pass the test – so an attacker can replace any kind of malware and run it with a high-privilege updater.
Patrick Wardle is the founder of the Objective-See Foundation, a non-profit organization that creates open source security tools for macOS.
Previously, at the Black Hat Cyber Security Conference held the same week with Def Con, Wardle detailed the unauthorized use of algorithms lifted from its open source security software by for-profit companies.
Following responsible detection protocols, Patrick Wardle reported the vulnerability to Zoom in December of last year. To his frustration, he says that the initial fix from Zoom contained another bug that meant the vulnerability was still exploitable in a slightly roundabout way, so he exposed this second bug to Zoom and waited eight months before publishing the research.
A few weeks before the Def Con event, Patrick Wardle says Zoom released a patch to fix bugs it initially discovered. But upon closer analysis, there was another small bug that meant the bug was still exploitable.
In the new version of the update installer, the package to be installed is first moved to a directory owned by the “root” user. This generally means that no user without root permission is able to add, remove, or modify files in that directory. But due to the accuracy of Unix systems (of which macOS is one), when you move an existing file from another location to the root directory, it retains the same read and write permissions it previously had. So, in this case, it can still be modified by a normal user. Because it can be modified, the malicious user can still swap the contents of that file with a file of their choice and use it to become root.