Zoom Client Information Disclosure (Webcam) CVE-2019-13450

ID AKB:11F4250A-1B26-4786-B12C-EBB1BEE2663F
Type attackerkb
Reporter AttackerKB
Modified 2020-03-03T19:49:35


In the Zoom Client through 4.4.4 and RingCentral 7.0.136380.0312 on macOS, remote attackers can force a user to join a video call with the video camera active. This occurs because any web site can interact with the Zoom web server on localhost port 19421 or 19424. NOTE: a machine remains vulnerable if the Zoom Client was installed in the past and then uninstalled. Blocking exploitation requires additional steps, such as the ZDisableVideo preference and/or killing the web server, deleting the ~/.zoomus directory, and creating a ~/.zoomus plain file.

Recent assessments:

busterb at 2019-07-09T17:19:53.261258Z reported: Possibly a source of other vulnerabilities in the internal webserver, worth a look at least to see if there is anything else that could be exploited.

Note, it appears that now there are private Zoom PoC's exploiting the webserver for remote code execution, though this appears to require the user to have uninstalled Zoom first leaving the web server behind. This is likely due to something in the clawback reinstaller not validating or accepting an attacker-controlled resource for the installer binaries.

Assessed Attacker Value: 2 Assessed Exploitability: 3 jrobles-r7 at 2019-07-09T13:21:48.141308Z reported: Potentially useful in drive-by attack scenarios but the attack does depends on a few conditions. If the user has disabled their video when joining a meeting then the webcam won't be on even if a link is clicked/followed. If the video is enabled when joining a Zoom meeting then the information disclosure would depend on what is in view of the webcam, which could potentially be nothing. A Zoom window appears when Zoom is launched so the time for capturing potentially sensitive information is limited as well (assuming someone will close a meeting that they didn't intend to join). Also, the user would have to be running the Zoom client on macOS.

Assessed Attacker Value: 3 Assessed Exploitability: 3