Affects more than four million Network Camera: Zoom client there is a 0 day vulnerability could lead to code execution-vulnerability warning-the black bar safety net

CVE number
CVE-2019-13449: the Zoom client denial of Service Vulnerability in 4. 4. 2 version client fix
CVE-2019-13450: network cameras information disclosure vulnerability currently are not released patch, plan on 7 November 10 release
Foreword
Recently, we found Zoom the client there are two security vulnerabilities. Wherein a vulnerability that allows any website without the user’s consent, forcing the user to Zoom call, and activates its camera. Another vulnerability may be by many times the user is added to the invalid call, resulting in a denial of Service DoS is.
In addition, if users have ever installed Zoom the client even if the client uninstallation on the computer will also keep a localhostWeb server, simply visit the specific web page, without any other interaction, you can re-install the Zoom client. This re-installation of the“function”in the current latest version is still there.

The vulnerability is the use of a Zoom very simple function, the user can send to anyone send a meeting link, for example: https://zoom.us/j/492468757 when the received link in the browser to open the link, they Zoom client in the local magically open. I’m very curious about this feature of specific implementations, and how to guarantee its security. Eventually I found that the mechanism does not be safely implemented, there is a certain risk. At the same time, I also found a solution, without the need for additional user interaction with the premise, you can ensure that the mechanism is safely achieved.

This vulnerability is in 2019 3 May 26, disclosure, disclosure of the process used to responsible vulnerability disclosure way. In the original vulnerability report, including a“quick fix”proposal is described, the Zoom can be by simply changing their server logic. Zoom took 10 days to confirm the vulnerability. Them about how to fix the vulnerability for the first time the actual discussion at the meeting is in 2019, 6 month 11 days, held, that is, from 90 days to open disclosure deadline before the end of the 18 days. In this meeting, confirm the vulnerability of detailed information, and discuss the Zoom of the planned solution. However, I can very easily in their plans for the repair program found in some of the holes and you can bypass the place. At the time, Zoom only 18 days time to resolve the vulnerability. After a 90 day wait after the public disclosure before the deadline of the last day of a 6 on 24th, I found that the Zoom only implement the initial recommendations of the“quick fix”solutions.
All in all, Zoom is very fast to confirm the reported vulnerability actually exists, but they couldn’t fix these vulnerabilities. Since this series of product has a large user community, I think it is necessary to take a more proactive approach to protect its users against attacks.
Found vulnerability
On a Mac, if you have ever installed Zoom, then on the local computerWeb serverin 19421 port to run on. We can be in the terminal on running lsof-i :19421 to confirm that this service exists.
First, we have to say, if one installed the application in my local computer running on aWeb server, while also using this a completely no documentation of the API, this would make me feel very strange. Secondly, I access any site in my hosts running on thisWeb serverto interact, this is for a security researcher to say that is a huge danger signal.
Zoom on the site the code is as follows, by this code I learned that there is a localhost server:
! [](/Article/UploadPic/2019-7/201971313130133. png)
When I learned of thisthe Web serverin the presence of time, my initial thought is, if in thisWeb serverthe parameters of the process have any buffer overflows, then there is someone in my host achieve remote code execution. However, this is not I found the vulnerability, but just my initial a hypothesis.
We visited one of the Zoom to“join”the Join link, you can view the recording to the Web Developer Console, we can see the following:
! [](/Article/UploadPic/2019-7/201971313131948. png)
I also found the page and did not issue a conventional AJAX request, but from the local running Zoom Web serverto load the image. Image of different size determines the server error or status code. We can see here the condition judgment logic:
! [](/Article/UploadPic/2019-7/201971313133356. png)
These two numbers, is theWeb serverreturns the image pixel size.
It is feared that this enumeration would seem to indicate thatthe Web servercan do more than just start the Zoom meeting. I found thisWeb servercan also be in the user has to Uninstall, re-install the Zoom app.
I am very curious, why thisthe Web serverwill return the image file size as the encoding of the data? The reason is that it bypasses the cross-origin resource sharing CORS is. In the beginning of the design, Web server

[1] [2] [3] [4] [5] next