{"id": "THN:96B1CC4A7203A91DE0E44071518570BB", "hash": "47fcd504ff572be1de3359034dc68ad1", "type": "thn", "bulletinFamily": "info", "title": "Two Critical Flaws in Zoom Could've Let Attackers Hack Systems via Chat", "description": "[](<https://thehackernews.com/images/-Fg68t3X10V4/XtfB3BD47bI/AAAAAAAA23w/YO1q2xwf_gYpEfHnUjgYqf9Uw7ObQhjWACLcBGAsYHQ/s728-e100/zoom-video-software.jpg>)\n\nIf you're using **Zoom**\u2014especially during this challenging time to cope with your schooling, business, or social engagement\u2014make sure you are running the latest version of the widely popular video conferencing software on your Windows, macOS, or Linux computers. \n \nNo, it's not about the arrival of the most-awaited \"real\" end-to-end encryption feature, which apparently, according to the latest news, would now only be [available to paid users](<https://www.bloomberg.com/news/articles/2020-06-02/zoom-transforms-hype-into-huge-jump-in-sales-customers>). Instead, this latest warning is about two newly discovered critical vulnerabilities. \n \nCybersecurity researchers from Cisco Talos unveiled today that it discovered two critical vulnerabilities in the [Zoom software](<https://thehackernews.com/2020/04/zoom-cybersecurity-hacking.html>) that could have allowed attackers to hack into the systems of group chat participants or an individual recipient remotely. \n \nBoth flaws in question are path traversal vulnerabilities that can be exploited to write or plant arbitrary files on the systems running vulnerable versions of the video conferencing software to execute malicious code. \n\n\n \nAccording to the researchers, successful exploitation of both flaws requires no or very little interaction from targeted chat participants and can be executed just by sending specially crafted messages through the chat feature to an individual or a group. \n \nThe first security vulnerability (**CVE-2020-6109**) resided in the way Zoom leverages GIPHY service, recently bought by Facebook, to let its users search and exchange animated GIFs while chatting. \n \nResearchers find that the Zoom application did not check whether a shared GIF is loading from Giphy service or not, allowing an attacker to embed GIFs from a third-party attacker-controlled server, which zoom by design cache/store on the recipients' system in a specific folder associated with the application. \n \nBesides that, since the application was also not sanitizing the filenames, it could have allowed attackers to achieve directory traversal, tricking the application into saving malicious files disguised as GIFs to any location on the victim's system, for example, the startup folder. \n \nThe second remote code execution vulnerability (**CVE-2020-6110**) resided in the way vulnerable versions of the Zoom application process code snippets shared through the chat. \n \n\"Zoom's chat functionality is built on top of XMPP standard with additional extensions to support the rich user experience. One of those extensions supports a feature of including source code snippets that have full syntax highlighting support. The feature to send code snippets requires the installation of an additional plugin but receiving them does not. This feature is implemented as an extension of file sharing support,\" the [researchers said](<https://blog.talosintelligence.com/2020/06/vuln-spotlight-zoom-code-execution-june-2020.html>). \n\n\n \nThis feature creates a zip archive of the shared code snippet before sending and then automatically unzips it on the recipient's system. \n \nAccording to the researchers, Zoom's zip file extraction feature does not validate the contents of the zip file before extracting it, allowing the attacker to plant arbitrary binaries on targeted computers. \n \n\"Additionally, a partial path traversal issue allows the specially crafted zip file to write files outside the intended randomly generated directory,\" the researchers said. \n \nCisco Talos researchers tested both flaws on version 4.6.10 of the Zoom client application and responsibly reported it to the company. \n \nReleased just last month, Zoom patched both critical vulnerabilities with the release of version 4.6.12 of its video conferencing software for Windows, macOS, or Linux computers. \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2020-06-03T15:34:00", "modified": "2020-06-03T15:53:45", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://thehackernews.com/2020/06/zoom-video-software-hacking.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2020-6109", "CVE-2020-6110"], "lastseen": "2020-06-03T16:21:42", "history": [], "viewCount": 83, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-6109", "CVE-2020-6110"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:3934872CE6AC2C8ABC5F37A1EB347A11"]}, {"type": "talos", "idList": ["TALOS-2020-1055", "TALOS-2020-1056"]}], "modified": "2020-06-03T16:21:42", "rev": 2}, "score": {"value": 5.6, "vector": "NONE", "modified": "2020-06-03T16:21:42", "rev": 2}, "vulnersScore": 5.6}, "objectVersion": "1.4", "_object_type": "robots.models.thn.ThnBulletin", "_object_types": ["robots.models.thn.ThnBulletin", "robots.models.base.Bulletin"]}

{"cve": [{"lastseen": "2020-06-12T15:53:29", "bulletinFamily": "NVD", "description": "An exploitable path traversal vulnerability exists in the Zoom client, version 4.6.10 processes messages including animated GIFs. A specially crafted chat message can cause an arbitrary file write, which could potentially be abused to achieve arbitrary code execution. An attacker needs to send a specially crafted message to a target user or a group to exploit this vulnerability.", "modified": "2020-06-11T20:34:00", "id": "CVE-2020-6109", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-6109", "published": "2020-06-08T14:15:00", "title": "CVE-2020-6109", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-14T21:54:49", "bulletinFamily": "NVD", "description": "An exploitable partial path traversal vulnerability exists in the way Zoom Client version 4.6.10 processes messages including shared code snippets. A specially crafted chat message can cause an arbitrary binary planting which could be abused to achieve arbitrary code execution. An attacker needs to send a specially crafted message to a target user or a group to trigger this vulnerability. For the most severe effect, target user interaction is required.", "modified": "2020-06-12T13:33:00", "id": "CVE-2020-6110", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-6110", "published": "2020-06-08T14:15:00", "title": "CVE-2020-6110", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "trendmicroblog": [{"lastseen": "2020-06-12T13:52:16", "bulletinFamily": "blog", "description": "\n\nWelcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about a new module for the infamous trojan known as TrickBot that has been deployed. Also, read about Google\u2019s $5 billion class-action lawsuit over claims that it has been collecting people\u2019s browsing information when using the incognito browsing mode.\n\n \n\nRead on:\n\n[**No Entry: How Attackers Can Sneak Past Facial Recognition Devices**](<https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/no-entry-how-attackers-can-sneak-past-facial-recognition-devices>)\n\n_Now more than ever, businesses are looking into contactless entry solutions, turning to edge devices that use facial recognition or small devices like radio-frequency identification cards. These devices serve as the first line of defense for keeping intruders out of offices, which can be subject to many different types of attacks. In this blog, Trend Micro analyzes the different ways an intruder can trick or hack into facial recognition access control devices. _\n\n[**Cloud Security and Data Protection: What Enterprises Need to Know**](<https://techbeacon.com/security/cloud-security-data-protection-what-enterprises-need-know>)\n\n_Data security is rarely the first consideration when choosing a public cloud service provider. That is changing, though, because of the rise of tougher rules, regulations, and standards aimed at protecting consumer privacy. In this article, Mark Nunnikhoven, vice president of cloud research at Trend Micro, shares his thoughts on what enterprises need to know about cloud security and data protection. _\n\n[**Lemon Duck Cryptominer Spreads Through Covid-19 Themed Emails**](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/lemon-duck-cryptominer-spreads-through-covid-19-themed-emails>)\n\n_In a recent campaign, Trend Micro came across a PowerShell script (mailer script) that distributes the Lemon Duck cryptominer through a new propagation method: Covid-19-themed emails with weaponized attachments. These emails are delivered to all Microsoft Outlook contacts of the user of a compromised machine, as similarly observed by SANS Internet Storm Center._\n\n[**TrickBot Adds BazarBackdoor to Malware Arsenal**](<https://threatpost.com/trickbot-bazarbackdoor-malware-arsenal/156243/>)\n\n_A new module for the infamous trojan known as TrickBot has been deployed: A stealthy backdoor that researchers call \u201cBazarBackdoor.\u201d The binary was first spotted being delivered as part of a phishing campaign that began in March, according to Panda Security. The campaign used the legitimate marketing platform Sendgrid to reach targets in a mass-mailing fashion._\n\n[**Factory Security Problems from an IT Perspective (Part 3): Practical Approach for Stable Operation**](<https://www.trendmicro.com/us/iot-security/news/5867/Factory_Security_Problems_from_an_IT_Perspective_Part_3_Practical_approach_for_stable_operation>)\n\n_This article is the last in a three-part series discussing the challenges IT departments face when they are tasked with overseeing cybersecurity in factories and implementing measures to overcome those challenges. For strong factory security, Trend Micro recommends three measures: network separation, layer-optimized measures, and integrated management of these elements. In this third article, Trend Micro explains this concrete approach to security._\n\n[**Zoom Patches Two Serious Vulnerabilities Found by Cisco Researchers**](<https://www.securityweek.com/zoom-patches-two-serious-vulnerabilities-found-cisco-researchers>)\n\n_Members of Cisco\u2019s Talos threat intelligence and research group have identified two vulnerabilities in the Zoom client application that can allow a remote attacker to write files to the targeted user\u2019s system and possibly achieve arbitrary code execution. The vulnerabilities, tracked as CVE-2020-6109 and CVE-2020-6110, are both rated high severity._\n\n[**#LetsTalkSecurity: Ghost in the Machine**](<https://trendtalks.fyi/security/>)** **\n\n_This Week, Rik Ferguson, vice president of security research at Trend Micro, hosted the fourth episode of #LetsTalkSecurity featuring guest Joe Slowik, USN Vet, Adversary Hunter, and Digital Sanitation Engineer with a focus on ICS. Check out this week\u2019s episode and follow the link to find information about upcoming episodes and guests._\n\n[**Google Faces Privacy Lawsuit Over Tracking Users in Incognito Mode**](<https://threatpost.com/google-faces-privacy-lawsuit-over-tracking-users-in-incognito-mode/156269/>)\n\n_Google faces a $5 billion class-action lawsuit over claims that it has been collecting people\u2019s browsing information without their knowledge when using the incognito browsing mode __that is meant to keep their online activities private. The lawsuit, filed in the federal court in San Jose, California, alleges that Google compiles user data through Google Analytics, Google Ad Manager and other applications and website plug-ins, including smartphone apps, regardless of whether users click on Google-supported ads._\n\n[**Barcode Reader Apps on Google Play Found Using New Ad Fraud Technique**](<https://blog.trendmicro.com/trendlabs-security-intelligence/barcode-reader-apps-on-google-play-found-using-new-ad-fraud-technique/>)\n\n_Trend Micro recently saw two barcode reader apps in Google Play, together downloaded more than a million times, that started showing unusual behavior (detected as AndroidOS_HiddenAd.HRXJA). This includes behavior that can be seen even when the user is not actively using the phone. _\n\n[**Email Scammer Pleads Guilty to Defrauding Texas Firms Out of More Than $500,000**](<https://www.cyberscoop.com/email-scam-texas-losses-fbi/>)\n\n_A 64-year-old man has admitted his role in an email-based fraud scheme that relied on spoofed email addresses to con two companies out of more than $500,000. Kenety Kim, or Myung Kim, pleaded guilty Tuesday in a Texas court to conspiracy to commit money laundering as part his role in a business email compromise scheme._\n\nSurprised by Google\u2019s lawsuit over tracking users in incognito mode? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: [@JonLClay.](<https://twitter.com/jonlclay>)\n\nThe post [This Week in Security News: Google Faces Privacy Lawsuit Over Tracking Users in Incognito Mode and TrickBot Adds Enterprise-grade Module to Malware Arsenal](<https://blog.trendmicro.com/this-week-in-security-news-google-faces-privacy-lawsuit-over-tracking-users-in-incognito-mode-and-trickbot-adds-enterprise-grade-module-to-malware-arsenal/>) appeared first on [](<https://blog.trendmicro.com>).", "modified": "2020-06-05T12:32:59", "published": "2020-06-05T12:32:59", "id": "TRENDMICROBLOG:3934872CE6AC2C8ABC5F37A1EB347A11", "href": "https://blog.trendmicro.com/this-week-in-security-news-google-faces-privacy-lawsuit-over-tracking-users-in-incognito-mode-and-trickbot-adds-enterprise-grade-module-to-malware-arsenal/", "type": "trendmicroblog", "title": "This Week in Security News: Google Faces Privacy Lawsuit Over Tracking Users in Incognito Mode and TrickBot Adds Enterprise-grade Module to Malware Arsenal", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "talos": [{"lastseen": "2020-07-01T21:25:30", "bulletinFamily": "info", "description": "# Talos Vulnerability Report\n\n### TALOS-2020-1056\n\n## Zoom Client Application Chat Code Snippet Remote Code Execution Vulnerability\n\n##### June 3, 2020\n\n##### CVE Number\n\nCVE-2020-6110\n\n### Summary\n\nAn exploitable partial path traversal vulnerability exists in the way Zoom Client version 4.6.10 processes messages including shared code snippets. A specially crafted chat message can cause an arbitrary binary planting which could be abused to achieve arbitrary code execution. An attacker needs to send a specially crafted message to a target user or a group to trigger this vulnerability. For the most severe effect, target user interaction is required.\n\n### Tested Versions\n\nZoom Client Application 4.6.10 Zoom Client Application 4.6.11\n\n### Product URLs\n\n<https://zoom.us>\n\n### CVSSv3 Score\n\n8.0 - CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H\n\n### CWE\n\nCWE-22 - Improper Limitation of a Pathname to a Restricted Directory (\u2018Path Traversal\u2019)\n\n### Details\n\nZoom is a video conferencing solution that offers a myriad of features. One of the services offered is chat with users contacts. Official client applications exist for Windows, macOS and Linux systems.\n\nZoom\u2019s chat functionality is built on top of XMPP standard with additional extensions to support rich user experience. One of those extensions supports a feature of including source code snippets that have full syntax highlighting support. The feature to send code snippets requires installation of an additional plugin, but receiving them does not. This feature is implemented as en extension of file sharing support.\n\nIn essence, code snippets are shared by generating a special zip archive that contains several supporting files (for untitled code snippet of plain text):\n \n \n Untitled.html\n Untitled.properties\n Untitled.rtf\n Untitled.tx*\n \n\nThe final one contains the source itself, the rich text file provides syntax highlighting and the properties file describes the package.\n\nWhen one user shares a code snippet with another, this zip file is created and uploaded to Zoom\u2019s storage server via `/zoomfile/upload` request to `file.zoom.us`. In return, the Zoom client gets a file object ID and then sends an XMPP message to the intended recipient. The XMPP message looks something like:\n \n \n <message from=\"source_xmpp_username@xmpp.zoom.us/ZoomChat_pc\" to=\"destination_xmpp_username@xmpp.zoom.us\" id=\"{170029-35B3-4748-9CB0-42E42FF20DE5}\" type=\"chat\">\n <thread>gloox{THREADID}</thread>\n <active xmlns=\"http://jabber.org/protocol/chatstates\"/>\n <sns>\n <format>%1$@ sent you a code snippet</format>\n <args>\n <arg>S E</arg>\n </args>\n </sns>\n <zmext expire_t=\"1650165620000\" t=\"1587093620200\">\n <obj k=\"key\" id=\"__object_id\" s=\"166\" nm=\"Untitled1.zip\" f=\"14\" st=\"0\"/>\n <from n=\"S E\" e=\"emailaddress\" res=\"ZoomChat_pc\"/>\n <to/>\n <visible>true</visible>\n <msg_feature>1024</msg_feature>\n </zmext>\n <body>S E has sent you a code snippet</body>\n </message>\n \n\nThe object ID attribute uniquely identifies the file that contains the snipped description. When an XMPP client receives the above message, it will proceed to fetch the specified file from Zoom\u2019s data store and will save it to disk with a unique file name. On Windows clients, these files are stored in `%APPDATA%\\Roaming\\Zoom\\data\\xmpp_user\\CodeSnippet\\<random uid dir>`. The same is the case with regular file sharing through Zoom. However, in case of a shared code snippet, Zoom will proceed to automatically unpack the downloaded zip file in order to preview and display the snippet. The core of this vulnerability is that Zoom\u2019s zip file extraction feature does not perform validation of the contents of the zip file before extracting it.\n\nThis allows a potential attacker without user interaction to plant arbitrary binaries on target\u2019s computer via automatically extracted zip files. Additionally, a partial path traversal issue allows the specially crafted zip file to write files outside the intended randomly generated directory. For example, a file inside a zip archive with a file path of \u201c..\\test\\another\\test.exe\u201d would actually be extracted to `%APPDATA%\\Roaming\\Zoom\\data\\xmpp_user\\CodeSnippet\\test\\another\\text.exe` instead of being contained inside a directory with random UID. This in itself could potentially be abused in leveraging another vulnerability.\n\nIn addition, a quirk of how Zoom handles shared files allows this vulnerability to be taken further with target user interaction. When a regular file is shared with a Zoom client, they need to click on the file and choose a destination to save it before accessing it. Since the Zoom client keeps track of downloaded files, combining this fact with the above described issue can lead to arbitrary file writes to arbitrary paths. In this scenario, the attacker would first share a malicious zip file with the target user with a benign filename, like \u201cinteresting_image.jpeg\u201d. The target would presumably click and save the file somewhere (on their Desktop for example). The user won\u2019t be able to open the file as either a zip or a jpeg directly. Zoom client, on the other hand, keeps track that this particular unique file was saved at the specified path. Then, an attacker sends a code snippet sharing message to the target but specifies the same file id and details in the `obj` tag. Zoom client application will see that the file has already been downloaded and will proceed to unzip it, disregarding the `.jpeg` extension. By abusing the partial directory traversal, malicious zip file could extract files to `c\\Users\\<username>\\` and any children directories.\n\nIn this scenario, the attacker uploads a single file to `file.zoom.us` server called `interesting_image.jpeg`. Attacker then sends a message like the following:\n \n \n <message from=\"source_xmpp_username@xmpp.zoom.us/ZoomChat_pc\" to=\"destination_xmpp_username@xmpp.zoom.us\" id=\"{170029-35B3-4748-9CB0-42E42FF20DE5}\" type=\"chat\">\n <thread>gloox{THREADID}</thread>\n <active xmlns=\"http://jabber.org/protocol/chatstates\"/>\n <sns>\n <format>%1$@ sent you a file</format>\n <args>\n <arg>S E</arg>\n </args>\n </sns>\n <zmext expire_t=\"1650165620000\" t=\"1587093620200\">\n <obj k=\"key\" id=\"__object_id_of_interesting_image.jpeg\" s=\"166\" nm=\"interesting_image.jpeg\" f=\"5\" st=\"0\"/>\n <from n=\"S E\" e=\"emailaddress\" res=\"ZoomChat_pc\"/>\n <to/>\n <visible>true</visible>\n <msg_feature>8</msg_feature>\n </zmext>\n <body>S E has sent you a code snippet</body>\n </message>\n \n\nThe client saves the file and then the attacker sends another message with almost the same content:\n \n \n <message from=\"source_xmpp_username@xmpp.zoom.us/ZoomChat_pc\" to=\"destination_xmpp_username@xmpp.zoom.us\" id=\"{170029-35B3-4748-9CB0-42E42FF20DE5}\" type=\"chat\">\n <thread>gloox{THREADID}</thread>\n <active xmlns=\"http://jabber.org/protocol/chatstates\"/>\n <sns>\n <format>%1$@ sent you a file</format>\n <args>\n <arg>S E</arg>\n </args>\n </sns>\n <zmext expire_t=\"1650165620000\" t=\"1587093620200\">\n <obj k=\"key\" id=\"__object_id_of_interesting_image.jpeg\" s=\"166\" nm=\"interesting_image.jpeg\" f=\"14\" st=\"0\"/>\n <from n=\"S E\" e=\"emailaddress\" res=\"ZoomChat_pc\"/>\n <to/>\n <visible>true</visible>\n <msg_feature>1024</msg_feature>\n </zmext>\n <body>S E has sent you a code snippet</body>\n </message> \n \n\nThe change in the above message is in `f` attribute of `obj` tag. It specifies `14` indicating a code snippet feature. Likewise, the `msg_feature` is adjusted to `1024` as is observed for shared code snippets. The file ID and name inside the `obj` tag are unchanged causing the Zoom client not to re-download a file into it\u2019s intended \u201cCodeSnippets\u201d directory, but to use the previously saved path.\n\nIt should be noted that even if the target user deletes the saved file upon realizing it is bogus, Zoom client will re-download it but still honor the original save path when the final message is received. Also, malicious zip file can contain multiple copies of malicious files with directory traversing paths which can be used to accommodate for arbitrary places where a target user might save the file.\n\nIn summary, this vulnerability can be abused in two above outlined scenarios. First, without user interaction, it can be abused to plant arbitrary binaries on target system albeit at a constrained path potentially used in exploiting another vulnerability. Secondly with user interaction, plant binaries at almost arbitrary paths and can potentially overwrite important files and lead to arbitrary code execution.\n\n### Timeline\n\n2020-04-16 - Vendor Disclosure \n2020-04-21 - Sent to vendor via a different channel at their request \n2020-04-21 - Vendor acknowledged \n2020-04-29 - Vendor requested additional information re: OS system tested on \n2020-04-30 - Talos retests and issues revised advisory \n2020-05-13 - Talos follow up \n2020-05-26 - Talos 2nd follow up \n2020-05-27 - Vendor says issue was not reproducible in 5.0.1 released on 2020-04-30 \n2020-05-28 - Talos confirms the issue was fixed in 4.6.12 and confirms 4.6.10 and 4.6.11 (and likely prior) were vulnerable \n2020-06-03 - Public Release\n\n##### Credit\n\nDiscovered by a member of Cisco Talos. \n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2020-1024\n\nPrevious Report\n\nTALOS-2020-1055\n", "modified": "2020-06-03T00:00:00", "published": "2020-06-03T00:00:00", "id": "TALOS-2020-1056", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1056", "title": "Zoom Client Application Chat Code Snippet Remote Code Execution Vulnerability", "type": "talos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-01T21:25:19", "bulletinFamily": "info", "description": "# Talos Vulnerability Report\n\n### TALOS-2020-1055\n\n## Zoom client application chat Giphy arbitrary file write\n\n##### June 3, 2020\n\n##### CVE Number\n\nCVE-2020-6109\n\n### Summary\n\nAn exploitable path traversal vulnerability exists in the Zoom client, version 4.6.10 processes messages including animated GIFs. A specially crafted chat message can cause an arbitrary file write, which could potentially be abused to achieve arbitrary code execution. An attacker needs to send a specially crafted message to a target user or a group to exploit this vulnerability.\n\n### Tested Versions\n\nZoom Client Application 4.6.10\n\n### Product URLs\n\n<https://zoom.us>\n\n### CVSSv3 Score\n\n8.5 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\n\n### CWE\n\nCWE-22 - Improper Limitation of a Pathname to a Restricted Directory (\u2018Path Traversal\u2019)\n\n### Details\n\nZoom is a video conferencing solution that offers many features, including chat with users\u2019 contacts. Official client applications exist for Windows, macOS and Linux systems.\n\nZoom\u2019s chat functionality is built on top of XMPP standard with additional extensions to support rich user experience. One of those extensions supports a feature of including animated GIF messages in chat. This feature is provided and relies on the Giphy service. When a client application receives an XMPP message with this `giphy` extension, it is instructed to visit a specified HTTP URL and fetch the GIF file to display it to the user. An example of such XMPP message is as follows:\n \n \n <message from='source@xmpp.zoom.us' to='destination@xmpp.zoom.us' id='random' type='chat'>\n <body>User Name sent you a GIF image. In order to view it, please upgrade to the latest version that supports GIFs: https://www.zoom.us/download</body>\n <thread>RANDOM</thread>\n <active xmlns='http://jabber.org/protocol/chatstates'/>\n <sns>\n <format>%1$@ sent you a picture</format>\n <args>\n <arg>User Name</arg>\n </args>\n </sns>\n <giphy id='filename' url='image_url' tags='congrats'>\n <pcInfo url='image_url_for_pc_display' size='10'/>\n <mobileInfo url='image_url_for_mobile_display' size='10'/>\n <bigPicInfo url='image_url_for_full_size_display' size='10'/>\n </giphy>\n <zmext expire_t='timestamp' prev='timestamp' t='timestamp'>\n <from n='User Name' e='email' res='ZoomChat_pc'/>\n <to/>\n <visible>true</visible>\n <msg_feature>0</msg_feature>\n </zmext>\n </message>\n \n\nTwo things are of interest in the above XML stanza. First, the `giphy` tag contains three target URLs that are supposed to point to Giphy\u2019s servers. Short testing shows that no destination URL validation is performed, and the client will follow whichever URL is specified, including to arbitrary servers. When a custom URL is specified , an HTTP connection from the client can be observed:\n \n \n GET /test.gif HTTP/1.1\n Host: example.com\n User-Agent: Mozilla/5.0 (ZOOM.Mac 10.14.6 x86)\n Accept: */*\n Cookie: srid=SaaSbeeTestMode00123578;\n ZM-CAP: 2535978022733895607,164\n ZM-PROP: Mac.Zoom\n ZM-NSGN:2,zVM1hmoFnK2kx8t/KEifN7IAXRSE/CnqolsM0zV6ess=,1586812854000\n \n\nIt should be pointed out that, although no authentication cookies are present in the above request, enough information is leaked to uniquely identify the client. Header `ZM-NSGN` contains a hashed and encoded unique client device ID.\n\nWith additional testing, another observation can be made. Even though `giphy` extension is supposed to display GIF images only, it will readily display and preview other image types , too. This includes PNG and JPEG file formats.\n\nSecond thing of interest in this message XML stanza is the fact that `id` attribute of the `giphy` tag is directly associated with image filename as cached on disk by the client. In other words, the client application will use this specified ID to save the file to disk for future displaying purposes. Arbitrary filenames can be supplied and the file will be stored in a predictable location inside `data` directory under Zoom\u2019s installation directory.\n\nThe actual vulnerability lies in the fact that filenames are not sanitized in any way and allow for directory traversal. This means that a specially crafted `id` attribute of the `giphy` tag could contain a special file path that would write a file outside Zoom\u2019s install directory and indeed in any directory writable by the current user. The following modified `message` stanza illustrates this possibility:\n \n \n <message from='source@xmpp.zoom.us' to='destination@xmpp.zoom.us' id='random' type='chat'>\n <body>User Name sent you a GIF image. In order to view it, please upgrade to the latest version that supports GIFs: https://www.zoom.us/download</body>\n <thread>RANDOM</thread>\n <active xmlns='http://jabber.org/protocol/chatstates'/>\n <sns>\n <format>%1$@ sent you a picture</format>\n <args>\n <arg>User Name</arg>\n </args>\n </sns>\n <giphy id='../../../../../../Desktop/mallicious_file.exe' url='image_url' tags='congrats'>\n <pcInfo url='image_url_for_pc_display' size='10'/>\n <mobileInfo url='image_url_for_mobile_display' size='10'/>\n <bigPicInfo url='image_url_for_full_size_display' size='10'/>\n </giphy>\n <zmext expire_t='timestamp' prev='timestamp' t='timestamp'>\n <from n='User Name' e='email' res='ZoomChat_pc'/>\n <to/>\n <visible>true</visible>\n <msg_feature>0</msg_feature>\n </zmext>\n </message>\n \n\nThe severity of this vulnerability is partially mitigated by the fact that Zoom client will append a string `_BigPic.gif` to the specified filename. This prevents the attacker from creating a fully controlled file with arbitrary extension. The above would still place a file of arbitrary content to current users desktop with filename if the attacker\u2019s choosing, albeit with `.gif` extension. Contents of the file aren\u2019t limited to images only and could potentially include executable code or script which could be abused to aid exploitation of another vulnerability.\n\nAdditionally, on Windows systems with NTFS file systems, NTFS alternative streams could be abused to create an empty file arbitrary extension. Specifying an `id` of `'../../../../../../Desktop/malicious_file.exe:` would result in Zoom expanding this filename into `'../../../../../../Desktop/malicious_file.exe:_BigPic.gif.zmdownload` which when created actually results in a filename `malicious_file.exe` with alternate stream `malicious_file.exe:BigPic.gif.zmdownload:$DATA`. The effect of this is an apparently empty file with `.exe` extensions. This could potentially be abused to change configuration of other apps , affect lock files, or otherwise aid in exploitation of another vulnerability.\n\n### Timeline\n\n2020-04-16 - Vendor Disclosure \n2020-04-21 - Vendor acknowledged ticket open for the issue \n2020-05-26 - 2nd follow up \n2020-05-27 - Vendor confirmed issue patched on 2020-04-21 \n2020-06-03- Public Release \n\n\n##### Credit\n\nDiscovered by a member of Cisco Talos. \n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2020-1056\n\nPrevious Report\n\nTALOS-2019-0957\n", "modified": "2020-06-03T00:00:00", "published": "2020-06-03T00:00:00", "id": "TALOS-2020-1055", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1055", "title": "Zoom client application chat Giphy arbitrary file write", "type": "talos", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}