Zoom Client Information Disclosure (Webcam) CVE-2019-13450

In the Zoom Client through 4.4.4 and RingCentral 7.0.136380.0312 on macOS, remote attackers can force a user to join a video call with the video camera active. This occurs because any web site can interact with the Zoom web server on localhost port 19421 or 19424. NOTE: a machine remains vulnerable if the Zoom Client was installed in the past and then uninstalled. Blocking exploitation requires additional steps, such as the ZDisableVideo preference and/or killing the web server, deleting the ~/.zoomus directory, and creating a ~/.zoomus plain file.

Recent assessments:

busterb at July 09, 2019 5:19pm UTC reported:

Possibly a source of other vulnerabilities in the internal webserver, worth a look at least to see if there is anything else that could be exploited.

Note, it appears that now there are private Zoom PoC’s exploiting the webserver for remote code execution, though this appears to require the user to have uninstalled Zoom first leaving the web server behind. This is likely due to something in the clawback reinstaller not validating or accepting an attacker-controlled resource for the installer binaries.

jrobles-r7 at July 09, 2019 1:21pm UTC reported:

Possibly a source of other vulnerabilities in the internal webserver, worth a look at least to see if there is anything else that could be exploited.

Note, it appears that now there are private Zoom PoC’s exploiting the webserver for remote code execution, though this appears to require the user to have uninstalled Zoom first leaving the web server behind. This is likely due to something in the clawback reinstaller not validating or accepting an attacker-controlled resource for the installer binaries.

Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 3