Zoom 5.4.3 (54779.1115) / 5.5.4 (13142.0301) Information Disclosure Vulnerability

Manufacturer: Zoom Video Communications, Inc.
Affected Version(s): 5.4.3 (54779.1115)
                     5.5.4 (13142.0301)
Tested Version(s): 5.4.3 (54779.1115)
                   5.5.4 (13142.0301)
Vulnerability Type: Exposure of Resource to Wrong Sphere (CWE-668)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2020-12-02
Solution Date: -
Public Disclosure: 2021-03-18
CVE Reference: CVE-2021-28133
Authors of Advisory: Michael Strametz, Matthias Deeg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Zoom is a video conferencing and messaging software with support for
many different devices.

Some of the supported features as described by the manufacturer are
(see [1]):

"
* Unparalleled usability
  Enable quick adoption with meeting capabilities that make it easy to
  start, join, and collaborate across any device.

* Join anywhere, on any device
  Zoom Meetings syncs with your calendar system and delivers streamlined
  enterprise-grade video conferencing from desktop and mobile.

* Powerful meeting security
  Robust security settings ensure disruption-free meetings. Encryption,
  role-based security, Passcode protection, Waiting Rooms and more.
"

Due to a security issue concerning the "share screen" functionality,
screen contents of applications which are not explicitly shared by the
screen-sharing user can be seen by other meeting participants.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

When a Zoom user shares a specific application window via the "share
screen" functionality, other meeting participants can briefly see
contents of other application windows which were not explicitly shared.

The contents of not shared application windows can, for instance, be seen
for a short period of time by other users when those windows overlay the
shared application window and get into focus.

Depending on the unintentionally shared data, this short exposure of
screen contents may be a more or less severe security issue.

A participant of a Zoom meeting recording a meeting using a screen
recorder software may afterwards have access to sensitive data of
other users which is accessible in a few frames of the recorded video.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

SySS could successfully demonstrate the described attack concerning
screen recordings of Zoom meetings with unintentionally shared screen
contents both using the current Windows and Linux Zoom client software.

In this attack scenario, the two users Alice and Mallory are in the
same Zoom meeting and Alice shares her web browser window via the "share
screen" functionality.

Mallory records her whole desktop screen using a screen recorder
software, for instance SimpleScreenRecorder [3].

Between showing different things in her shared web browser window, Alice
uses another application whose application window happens to overlay
the shared web browser window.

The contents of this other application window, which is explicitly not
shared with Mallory, can sometimes briefly be seen by Mallory.

When watching the created screen recording, Mallory can pause the video
at will and thus see the unintentionally shared application window
contents from Alice.

A SySS proof of concept video illustrating this security issue is
available on our SySS Pentest TV YouTube channel [5].

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

SySS GmbH is not aware of a fix for the described security issue.
Please contact the software manufacturer for further information.

#  0day.today [2021-10-01]  #