 شكرا لكم all for tuning in I'm super honoured to be speaking here today at Defcon This is my first Defcon talk I'm super honoured to be here today And I wish that we can all have a normal Defcon And we'll be able to meet everyone in person But hopefully next year when life gets back to normal Yeah, let's start So who am I? I'm Mazdin Ahmed I'm a Cyber Security Engineer And I specialize in Offensive Security and AppSec I also founded Full Hunt If you haven't heard about Full Hunt It's the next generation assets discovery Slash monitoring slash scanning Slash a lot of cool things that are happening in the background If you haven't tried it or checked it out You should definitely do It will be one of the coolest things in security one day soon Before that I worked in the security engineering of Proton Mail I was also a bounty participant Where I reported security vulnerabilities to Facebook To the Department of Defense To Twitter And many others I'm interested in web, infra, mobile and cloud security WifiVasions Security Automation And DevSecOps And many other cool things in security And you can read more at Mazdin Ahmed.net And you can find my contact details there And yeah, let's start So the agenda for today Of course we are talking about hacking Zoom Before that we need to have a quick intro about Zoom Just in case So first and then we're gonna have a background Findings A little perspective on the Zoom's last minute VDP Recommendations Final thoughts And then we would have a room for Q&A Zoom Everyone knows it today Everyone is using it It's literally in everywhere in the world Every company Almost every company is using it Government use it too We saw last week The hearing of the Twitter hack Where the hearing was done via Zoom And that hack happened At the hearing live It was quite bad But yeah So this proves that everyone is using it In May 2020 The market valuation for Zoom Is 50 billion USD I'd like to bring this chart here This is a comparison between The market capital of Zoom Against the top 7 airlines in the world Including United and Delta So combining the top 7 airlines Market capital Zoom would be either equal Or have a higher market capital This is crazy just to think about it How Zoom became today And the rise of Zoom Started with the global pandemic Everyone knows about that So from a stock performance Almost all of the companies Were in the same range as we can see here And then it jumped It actually skyrocketed By May With all that was happening Meanwhile All of these top airlines Were quickly falling down As we can see For me I just find this really interesting To imagine how Zoom became today Yeah Because how important is Zoom This is where my research started So in March 2020 Patrick Wilder Gave a talk at Upcourt About Zoom security And the state of security at Zoom And he disclosed a number of security vulnerabilities In the Maco Is a client of Zoom And he This brings a lot of attention To the media and to me personally And from that I got more interested and started My research from there So what was tested before The Zoom macOS app It was tested We can read about it in the media And we can read about it In research done by Patrick Wilder And many others It was hacked It was really bad It was reusing really bad practices There was a lot of Zoom privacy concerns And Yeah The way that Zoom is sharing data to Facebook And a lot of things we can also see But what was not tested before Of course many things This is just I just shared two But many things has not been tested before For me I'm trying to take into A couple of things And that I will be showing now One thing that was not tested Was the Zoom Linux app Nothing I have tried to search about Any research or disclosure For any vulnerability in the Zoom Linux line I haven't seen anything This is one thing that I wanted to see Or to focus on The Zoom external attack surface Zoom became huge And there was no focus On the external attack surface of Zoom The Zoom cloud infrastructure How it's being set up And different things related to the Infra And of course the Zoom's new Into encryption Implementation Where I've seen it to the media Did anyone test it Weekends I'll talk about that later And of course many There are a lot of things I only focused on these There is a lot of room For research in this area So the findings agenda I'm not going to go To each one of them now We will talk about them later It's just here for people who are curious To see what we're going to talk about A quick disclaimer The entire research is Nonfunded This is a nonfunded research I have done everything here In my spare time Just to confirm that Or to state that The research background The first finding that I identified Was in April 2020 And my expectations Did not match what I was Seeing in the media We will know how Later The first conclusive response For my finding That I reported in April 2020 I got it in July And this wasn't A very pleasing Experience And this after a lot of follow-ups Of course From my side And after submitting The CFP to Defcon The second round of research Started And at that time I identified additional Six new different vulnerabilities And security related issues And of course everything Was reported to zoom And the reward Was zero Dollars Yeah I just want to say that So the first step For doing a type of Offensive research Is the reconnaissance Understanding the attack surface And that's where I started with I used full hunt To get the zoom details API returned Around 13 Domains And this is the list of domains That was discovered I took a portion of them And analyzed them The remaining are there If anyone would like to Have a test drive Feel free And let's go to the findings One thing that I noticed That there was two servers That are having A Kerberus service running And when I saw that I got interested To see what's happening there Apparently there was two Exposed Kerberus servers That was exposed unintentionally To the internet And no one knew about them So this one Had also A web service running on port 80 And it was free IPA If you don't know it's free IPA It's an identity management solution That was developed by Red Hat It's open source You can check it out And I started by testing The web interface As you can see This screenshot When you are providing A user name You can see that There is a Kerberus error That is telling you that And one thing that I did not mention here That whenever you see A Kerberus server running By itself It's not huge But once you compromise it Or you have a single credential That is valid Then This would open a Amount of attack surface For you And that's what I was doing I want to get an initial foothold There and then Go from there So I started doing user enumeration there And You can see here The previous one was showing that There was an error This user is not found By the Kent And here The authentication field Or the previous authentication field Which means that We can We are able to Identify valid usernames And Then I started building word list Based on different things To identify more usernames So that I can Prove it for them I Compat the word list The pattern that I have seen So the pattern that I have seen For the Zoom Emails Our first name The last name at zoom.us Also the common usernames That I was able to find To get and the employee names Of course I compiled them all And I did that for usernames The only user that I Found was admin At idm.meezoom.us I then ran a number Of root horse Sessions on them Nothing Interesting happened Then I Saw that I'm hitting A rabbit hole And it said I didn't So I just moved to Another more interesting thing That I can find A good choice So the discovery Of a memory leak On our zoom production server Zoom allows Uploading profile pictures On accounts Which is the typical thing The process for that Is first The user uploads a profile image And the profile image Is either JPEG And this is The tricky one If the image is PNG or JEP It's converted to JPEG And if the image is JPEG The image conversion Is not triggered And There is another thing here That if the image contains An invalid image header The updating profile API So There is a good check In that image header And it's using Of course magic bytes By checking the magic bytes I like to test Image conversion Or processing softwares Or whenever I see An API that is utilizing that Or using that I know for fact that There is a large Happening And the reason is because Image conversion Is not a vital Functionality In an infrastructure Of A company Or even a web startup So What happens is It often gets Forgotten And there is no secure updates As far as it's working Then it's fine This is something that I have seen as a pattern And that's why I Started testing that Or focused on that So one cool exploit here Or secret vulnerability That was released in 2016 It was known as the image tragic exploit Or vulnerability And this vulnerability allowed Having a remote code execution Into The instance that Is running the image processing When providing certain payloads You can read more about the CVE Offline So I have tested This one and They seem to have this one patched So I moved to the next one I did not work so I moved to the next one And There is a vulnerability in Image magic that was reported In 2017 And it works by having Whenever the palette is Uninitialized Or not presented In the Jeff file basically Image magic Leaks portions Of the memory to the generated Or the rendered image And This is the fix for the vulnerability That was issued At that time Around July 2017 I generated a payload That renders this way In a normal browser Or normal software That is patched But When I upload the payload To zoom It renders this way If you are reading the report For that CVE The typical Behavior Of having the exploit being Successful And If you Download this image And try to To Obtain the strings From it You will find that it is taking Some portions of the memory Then I thought Maybe this is And Image processing Software fault Or best effort Just to render the image That is corrupted Or there is a problem That is happening Because of rendering A black image So I generated a Q1 That is not the Like the payload That this one has initialized The palette And when I report it It renders normally Okay this sounds really Interesting We have a memory leak On zoom production The typical thing Is to automate the exploitation For that And the flow for that Would be to generate a new Unique payload With the rendering to happen Download the render File Extract the data from the corrupted file That was rendered by zoom Repeat and store Releaked memory portions So this proof concept Does that I am going to Have a demo time Which is cool Here it generated the image And uploaded it to zoom Downloading the image now And Here Recovering the dump So here A memory leak On zoom production Was not the end for that I remember that In 2018 Travis O'Mande Released a research On ghost script Which was used by Image magic And his research Revealed the number Of critical vulnerabilities In ghost script And the proof concept That he shared in the research When doing image conversion Can Can lead to a remote execution And it was really cool To see this And what I did is I used the proof concept That Travis wrote And How we show you this to think First So we know for a fact That 2016 V714 The image tragic is passed But we kind of think That the image magic memory leak Is presented Based on the proof of exploitation We had here And that one was Passed in Released, the patch was released May 2016 And the patch for The memory leak was released In July 2017 And it's not passed Based on that We can safely say That the ghost script Is not passed, right? So I wrote Like I Wrote the proof concept From the research That Travis O'Mande wrote And I replicated it Locally With the same environment I assume Zoom have it With the same Version With the same range of versions That Zoom is using Mostly And yeah It's working And fortunately For Or fortunately Slash P slash upload Checks for magic bytes Otherwise A full exploitation would have been possible But still This does not mean that Zoom is safe If there is any Particular API That is utilizing the same functionality And it's not checking the magic bytes And this would lead To the execution This doesn't sound nice This doesn't sound good By enemies And I don't know how to say this But the RSE vulnerability Is probably still there In Zoom production Another thing we have here Is the Shadow IT And Zoom I have noticed That there is a number of Zoom have Shadow IT servers running In different host names And Are not properly configured And they may be A good target For conducting a successful attack I have seen this in multiple occasions This example here Is showing An instance That did not have any Patches since Let me check September 10th 2019 I took this picture In July 4th 2020 Around 10 Or 9 months of Time frame There was no patches On that server Or all new builds And we all know That there was a plenty Of security vulnerabilities That were reported to them And You can imagine Another cool thing here Is that the same host had 9 active connections Including me Makes it an excellent fit For doing any type of testing Without triggering alerts Which is cool So that you can test it And be safe In the part that Or detectable As in testing zoom.us The main website Or yeah Enough about all this And let's start to talk about The Zoom app for Linux One cool finding here Zoom Linux A client So the TLS Is broken by design on Linux And you're gonna see how that is happening I don't see this As the best practice Especially for the Zoom But we can Talk about that So whenever there is any traffic That is intercepted with custom TLS Certificate Zoom prompts this message While it looks normal Everything is fine here And whenever you click trust anyway Then you would have The certificate Like the traffic going with that Like with this accepted certificate Which is an unplusted one But What happens here Is that this certificate Like the hashes for the Fingerprint for this certificate Is saved locally With the same permissions of the user And And you can Simply just plug And like if you have a malware Which is able to To see To have access to your machine You can This malware can safely or easily Just plug in To the fingerprint Of the certificate And then all of the traffic that is going to Zoom Can be intercepted Even if it's using SSL or TLS Because The certificate will be Intercepted without having to have This type of prompts Because It was added to the local database On The background So I wrote a simple Concept As a sample of what A malware would look like As just In a way or another As a concept And this particular Part of the malware Or the proof concept Would get the fingerprints For all of the Forage certificates that we have And then It would add it to the Zoom database At local database And once it's added These certificates can Can be Provided or to Zoom And All the traffic would be Passing Without having any error like this And All of the encrypted traffic Could be Intercepted When having a malware running Of the same user access As this one Well I have to say This is not A really bad vulnerability They live in the best practice To do that But As we are going now We are going to see something that is really bad And we are going to see it now So I would start With this question Was a bad design For an application launcher Good question And we are going to know the answer So User bin Of Zoom And when never Zoom Is called Zoom is printing The following Logging Logging Data on the sd out And There is a part where you can see Zoom path is Zoom path is Zoom and then Zoom Not exist at current directory Okay this looks interesting Already What's happening in the background Zoom checks for files Within pwd And if there is an executable Called zoom Literally On pwd It executes it As a chat process For a user bin zoom I was mind blown when I saw that Why Would this be there This is a proof concept I created a file Called zoom And then Zoom checks On the pwd if there is a file Called zoom literally And executes it Of course it has to be with An executable file permission So Imagine this You have You have application white listing There are a lot of Points that I can make here To be honest That is That would show how This old design is there For And if there is anything Related to application white listing And you are white listing Zoom And this would literally Break that Because This is executed as a chat Process of a trusted application Zoom And yeah it's bad practice And bad design by all means Like why This being implemented this way So that's my answer What's the bad design for An application launcher I would be Zoom application launcher for Linux Another bad thing Happening here So the zoom Local database Implementation You will see now So in the configuration Files of The configuration directory of zoom There is this file The local database Zoomus.db The default database And a lot of other files That are there for zoom The most important File is the zoomus Because it has the access tokens It has all of the PII For the user and everything And as we can see here In the screen The file permission Is 644 Let me show you this 644 This Gives to the user A write and read access Okay sounds reasonable Nothing bad On that Group Access To give it read access Why Really like really Are you sure about that But everyone To have read Access Into the zoom Local database Of the zoom user Why Literally Any code On the user machine that have access To the like Any code that have access to the user machine Can read and exfiltrate Zoom local database And Database and configurations And more of course Because The Permission or the file permission For the zoom local database Is set to be Read by everyone And okay Another thing that is quite cool Zoom is end to end Encrypted We can see later But my answer is not fully One Awesome product by zoom Is zoom chat And It's Advertised in the website And that We can see Here As a platform that is That makes Work and collaboration Much easier In mobile and desktop With a really clean Design and UI That looks kind of similar To what Slack is having This is not the point But it looks good as a product Right And as we go back here Is Yeah I'll focus on The security part As we can see In the security and archiving Zoom Encrypts data Again Here In encryption data In transit and address Encryption For data and mobile devices Your message لان هذه شات هالحملان ، المجبوح ، so there are a lot of advertisement that is going with how secure Zoom chat is happening and security they don't really necessarily talk about application security level of security but there they are talking about how all of the data حسناً، هذه الطريقة سيكون بخير ولكن على الخارج الصحيحي، لدينا مجموعة مجموعة، ويوجد مجموعة مجموعة مجموعة التي لا يوجد مجموعة ثم أردت مجموعة مجموعة مجموعة التي يوجد هنا، لأن مجموعة مجموعة مجموعة هي إستم إعلامة直到 now إنهم قد ستكون some things that happen to some people on the left side we can see our way to a E2E encrypted by now as advertised and then on the left side we can see the local database a custom one that is made by zoom that we can see for that they have it and I can just read what's happening there and what they are storing on your local device so here i sent a message and it's saying that this is a secret oh well this one second i have to repeat that the message is being stored locally at rest in clear text here anyone who is able to have access to the user machine is able to pull a full archive of all messages that are being sent that were where or are supposed to be into any encrypted and it's saved in plain text and yeah this does not sound good and it's not the one that you can have a record or a backup for your messages it's just a debugging feature that they left open in production for the linux build i'm not sure if this is applicable in macOS or in windows but you can see if it's that it's being applicable here in linux by the way the fact that the the same database that for messages is having the 644 where is it the 644 user permission which means that any code would be that is running despite what type of user is running user permission is running is able to access this into in the cryptic chat archive doesn't sound good yeah so of course i could have gone more and tested more but at the end this is just a time that i have spend in to just to fuzz around with zoom i did this for for curiosity purposes mainly but definitely i could have spent more time but then yeah i jumped to the responsible disclosure now and i started the experiment in around april 15 reported that in april 18 i contacted luta security in twitter followed up with the the vulnerability disclosure again on 26 a couple of messages and on the background in may 5th of 2020 i received frequent closed memory leak at zoom.us yeah here so yeah i wasn't happy so what's next tweeted about that and then i was asked to send it via hacker one turn on communication running to to run my automated exploit for the memory leak then when nothing seems to be happening i informed zoom that i'm planning to present my ongoing research here at defcon and then zoom told me that they cannot assess the issue as there is there was no sensitive data seen despite the the predictability of the vulnerability on the provided exploit then and it was closed as not applicable sure then i sent on july 11 my new research results reporting new seven different security vulnerabilities six to seven new probabilities i got an acknowledgement about receiving my report and by the way this is the first conclusive response regarding the memory leak issue and by conclusive i mean that they did a full analysis of what was happening on the previous ones on hacker one they were trying and they triggered it as valid and then they were trying to run my exploit and that's all like but this one they they researched more and analyzed more about how this is happening and what was the cause of the issue and it wasn't like literally three months after i reported it then further explanation from zoom regarding the vulnerability or the findings in general okay now with what was happening and then from their explanation and then my response regarding each analysis that they provided so for the public authentication yeah you can see what's happening here what they were wrote and well yeah for me yeah while agreeing this may be a forgotten server that was mistakenly exposed i haven't seen any references of 2fa being implemented but in all cases it's down now so it's great oh wait i think i messed up with the messages here anyway so this is the same slide from the last one so so we did check that image magic is not used for image conversions here but wait the same vulnerability is being reproduced it's maybe a fork of image magic or an image processing software that is vulnerable to the same cve of not being able to parse gif images of that have an initialized palettes this sounds reasonable in all cases it's clear that something is wrong right shadow it and zoom so these are not nonsensitive information Disclosure from assured environment information hygiene is important to us and we appreciate you reporting this finding so that's great so full hunt can help here probably the best product out there for mitigating shadow it risks oh i think part part of the discussion regarding the image conversion is not placed on the slide but please check my blog after that to have the full list of discussion so for what was happening for the linux app findings yeah they fixed it or patched it in five two point zero that was released in august third i think they were supposed to patch or released on august second but it was released in august third in all cases i have read the changelog they it was no mention whatsoever for any security patches so clearly it was a silent fix which it wasn't a nice thing at least uh users should have some transparency of the state of security for the company that they use or trust yeah the patches i just told you about how like the patches for what what happened for the next app for what was happening with the image conversion they decided to not patch it because they are not seeing sensitive data and then that are being exposed then what happened is they ask they stated that they are not using image magic but still the same vulnerability behavior of the vulnerability is being reproduced as a result of the image conversion so clearly something bad is happening but i'm not a part of zoom 2 or i don't have a say on zoom 2 have them fixed that so i my responsibility is just to as part of the research that i'm conducting is to just let them know and that's all what else the findings the shadow it i'm not sure if they they started reviewing all of their shadow it instances that's something that they supposed to do for the curb server they took it down which is good which is awesome and yeah they told us they told me with that they are patching all of the vulnerabilities and for the Linux app on the on the release of August 2nd or August 3rd it was released with no mention for any security fixes or updates yeah it was for me it was a difficult or experience to be able to report these vulnerabilities and to them in the beginning there was a lack of communication despite all of what was happening or here that i was hearing in the media every now and then i see that zoom has passed a critical or severe vulnerability that was even attacking things that are less riskier than what i have found but it was generating a lot of media PR that is bad for or negative to zoom and i assume that was the reason why they are patching it that quickly comparing to my experience to zoom vdp and yeah of course i did not release anything that i found before this talk to like an authorized other parties or unauthorized parties and yeah so it was not mentioned in the media before i did not share it with anyone in the media that's why probably one reason it wasn't that fixed or my experience wasn't as the same as the vulnerabilities that was heard in the media and that's one thing i'm not sure but i would be surprised if i'm the only researcher in the world that had this experience with zoom security i would be really surprised about that another part is the massive growth versus security zoom has مستقبل في 2020 في طريقة that no one could have imagined zoom has been here for ever and what the growth that they got during 2020 was something that for me it was like no one would have expected this to happen and this reflected a lot on the security a lot of people have clear focus on the security of zoom since it's it became a part of our lives everyone is using it i'm i use it my company use it everyone that i know use zoom and that's why security is extremely important now for zoom and the thing is having security means that you have to have a full security program running it's not that easy to have a full security program and there are a lot of things to consider to when doing that for me when i build security programs in companies i i take a lot of time to do that and this is the typical thing even if we have the highest budget like similar to what zoom is having it does not come to how like how how much budget is allocated to to zoom to zoom security it's about different processes that should have been already done before the pandemic and having a last-minute security program or a last-minute vdp uh probability disclosure program it's not easy and can cause a lot of errors and mistakes happening like i'm communications between and focus these type of patterns that i have seen with uh with zoom is something that are possibly happening to all of the researchers that have been reporting to zoom responsibly i'm just saying that there is a lot of work for the security program to at zoom to be done the reward yeah that's another thing it one thing that i also seen that zoom counts like have as advertised about the program and then have the reward for all of the research that they have conducted as zero usd this is not a