Zoom chat messages can infect devices with malware • The Register

Zoom has fixed a vulnerability in its video conferencing software that a malefactor could exploit using chat messages to run potentially malicious code on a victim’s device.

The bug, tracked as CVE-2022-22787, received a CVSS severity of 5.9 out of 10, making it a medium-severity vulnerability. It affects Zoom Client for Meetings running on Android, iOS, Linux, macOS and Windows systems prior to version 5.10.0 and users should download the latest version of the software to protect themselves from this arbitrary remote code -Protect execution vulnerability.

The result is that someone who can send you chat messages could trigger your vulnerable Zoom client app to install malicious code like malware and spyware from any server. Exploiting is a bit complicated, so crooks might not jump on it, but you should update your app anyway.

As Zoom explained in a security bulletin, these earlier software versions “cannot properly validate the hostname during a server change request.”

Google’s Project Zero bug hunter Ivan Fratric found the bug and reported it to the video conferencing giant back in February. As Fratric explained in a report released today, no user interaction is required to launch an attack he dubbed “XMPP stanza smuggling.”

“The only skill an attacker needs is to send messages to the victim over the Zoom chat using the XMPP protocol,” noted Fratric.

XMPP is the messaging protocol Zoom uses for its chat feature. It works by sending short pieces of XML called stanzas over a stream connection. However, it uses the same connection to send client messages as it uses to send control messages from the server.

The vulnerability exploits inconsistencies between XML parsers in Zoom’s client and server software to “smuggle” malicious XMPP stanzas to the victim client, Fratric wrote.

XMPP stanza smuggling can be used for a variety of nefarious purposes – from spoofing messages to make them appear as if they came from another user, to sending control messages that are accepted as if they were sent by the servers are coming. However, Frantric noted that the “most effective vector” in the gap smuggling vulnerability can allow an attacker to exploit the cluster switch.

Sending a very specific stanza which he detailed leads to the creation of a ClusterSwitch Task in the Zoom client with an attacker-controlled web domain as a parameter.

Creating a man-in-the-middle (MITM) server to exploit this bug also revealed a bunch of data from the /clusterswitch endpoint, including a list of domains for various Zoom services.

“Since the attacker is already in the man-in-the-middle position, they can replace each of the domains with their own, act as a reverse proxy, and intercept the communications,” Fratric wrote.

For this proof of concept, he replaced the domain used for Zoom’s web server with a server he controlled, allowing him to see and modify traffic between the client and the Zoom web server. “This, in turn, allowed me to run the MITM client update process and escalate to arbitrary code execution,” explained Fratric.

In short: update if you haven’t already. ®

About Willie Ash

Check Also

MediaTek Genio 1200 Linux System-on-Module supports Cortex-A78/A55 AIoT development kit

ADLINK Technology just introduced the SMARC 2.1 compliant LEC-MTK-I12000 System-on-Module (SoM) powered by a MediaTek …