Fixes for Zoom, RingCentral, Zhumu (and additional white labels) RCE vulnerabilities

zoom_fix.md

(Subscribe to this gist for any updates as we get them.)

If you're using macOS, Apple has pushed an update that will remove the 14 known web servers for you. To check if you already have it:

/usr/bin/defaults read /System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString

If the latest version you have installed is 1.47, you should be secure against the vulnerability in these applications. If necessary, you may run an MRT scan yourself:

sudo /System/Library/CoreServices/MRT.app/Contents/MacOS/mrt -a

If your latest version is for some reason out of date, you can force an update of MRTConfigData:

1. Run softwareupdate --list --include-config-data
2. Find any and all MRTConfigData related updates (such as MRTConfigData_10_14-1.47), and install them with softwareupdate -i [package_name] --include-config-data

or

1. Force an install of all available updates: softwareupdate -ia --include-config-data

The latest versions of both Zoom and RingCentral will also remove the servers themselves, so if you still have either application installed, check to be sure it's up to date.

---

To remove all the known daemons manually, run these commands in your Terminal:

# Removed by MRT 1.45
rm -rf ~/.zoomus; touch ~/.zoomus && chmod 555 ~/.zoomus; pkill "ZoomOpener"

# Removed by MRT 1.46
rm -rf ~/.ringcentralopener; touch ~/.ringcentralopener && chmod 555 ~/.ringcentralopener; pkill "RingCentralOpener"
rm -rf ~/.telusmeetingsopener; touch ~/.telusmeetingsopener && chmod 555 ~/.telusmeetingsopener; pkill "TelusMeetingsOpener"
rm -rf ~/.btcloudphonemeetingsopener; touch ~/.btcloudphonemeetingsopener && chmod 555 ~/.btcloudphonemeetingsopener; pkill "BTCloudPhoneMeetingsOpener"
rm -rf ~/.officesuitehdmeetingopener; touch ~/.officesuitehdmeetingopener && chmod 555 ~/.officesuitehdmeetingopener; pkill "OfficeSuiteHDMeetingOpener"
rm -rf ~/.attvideomeetingsopener; touch ~/.attvideomeetingsopener && chmod 555 ~/.attvideomeetingsopener; pkill "ATTVideoMeetingsOpener"
rm -rf ~/.bizconfopener; touch ~/.bizconfopener && chmod 555 ~/.bizconfopener; pkill "BizConfOpener"
rm -rf ~/.huihuiopener; touch ~/.huihuiopener && chmod 555 ~/.huihuiopener; pkill "HuihuiOpener"
rm -rf ~/.umeetingopener; touch ~/.umeetingopener && chmod 555 ~/.umeetingopener; pkill "UMeetingOpener"
rm -rf ~/.zhumuopener; touch ~/.zhumuopener && chmod 555 ~/.zhumuopener; pkill "ZhumuOpener"
rm -rf ~/.zoomcnopener; touch ~/.zoomcnopener && chmod 555 ~/.zoomcnopener; pkill "ZoomCNOpener"

# Removed by MRT 1.47
rm -rf ~/.accessionmeetingopener; touch ~/.accessionmeetingopener && chmod 555 ~/.accessionmeetingopener; pkill "AccessionMeetingOpener"
rm -rf ~/.videoconferenciatelmexopener; touch ~/.videoconferenciatelmexopener && chmod 555 ~/.videoconferenciatelmexopener; pkill "VideoConferenciaTelmexOpener"
rm -rf ~/.earthlinkmeetingroomopener; touch ~/.earthlinkmeetingroomopener && chmod 555 ~/.earthlinkmeetingroomopener; pkill "EarthLinkMeetingRoomOpener"

These commands do the same thing for each of the known white labels of Zoom. They remove the web server if it exists at the hidden directory, and create an empty file and set permissions on it such that the hidden server cannot be reinstalled back to that location. Finally they kill the server if it is running.

---

If you're using Safari on macOS you're now good to go. However if you're using any other browser (even on other operating systems) you may still see a link immediately open Zoom (or another app) for you. This is not the same vulnerability (no RCE), and is in fact one you yourself opted into, though you may not have realized it. This will occur if you ever checked a box on a pop-up window for a Zoom meeting link that said something like "Always open these links in Zoom".

Here's how to undo that.

For Chrome:

1. Navigate to chrome://version/ and find the path listed under "Profile Path".
2. Quit Chrome, open that directory, and then open the "Preferences" file.
3. This is a JSON file. Look for the strings similar to "zoommtg":false, "zoomrc":false, "zhumu":false, or whatever likely coincides with your white labelled application. If either exist, remove them. If there is a comma immediately after either string, remove it as well.
4. Save the file.

For Firefox:

1. Open Firefox's Preferences.
2. Search for the string Applications using "Find in Preferences".
3. If you see a table with the headers "Content Type" and "Action", find the rows labeled zoommtg, zoomrc, or zhumu, or whatever likely coincides with your white labelled application. If any exist, set their action to "Always ask"

In any case, refrain from checking the box in a modal dialog to opt you back into this behavior in the future. Safari is currently the only known popular browser to not allow you to shoot yourself in the foot this way.

---

If you are aware of any other rebranded Zoom applications not covered here, please let me know.

Running something like lsof +c 15 -i :19400-19500 (look for any FooOpeners) or using the below yara rules may find more. If you find any not in this list, please email, tweet, or call me so we can investigate it further.

ZoomDaemon.yara

private rule Macho
{
    meta:
        description = "private rule to match Mach-O binaries (copied from Apple's XProtect)"
    condition:
        uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca
}

rule ZoomDaemon
{
    meta:
        description = "ZoomDaemon and its whitelabels"
    strings:
        $ = "zLocalHostWrapper"
        $ = "ZMClientHelper"
        $ = "ZMLocalHostMgr"
    condition:
        Macho and all of them
}

you're missing a semicolon: rm -rf ~/.ringcentralopener touch ~/.ringcentralopener

@SteveAlexander Thanks so much for catching that! Fixed.

Would suggest adding a step to the Chrome instructions to explicitly close Chrome. Otherwise Chrome will overwrite the changes you make to the Preferences file.

Thanks for the workaround, great work!

automated process for Chrome (in case you have users who aren't savvy with manually editing stuff)
https://gist.github.com/Ethanb00/7cc4ba6200cdfdbcae53136a4c89663d

Thanks @karanlyons

IIUC, updating to the latest version of Zoom (just released last night/yesterday) will remove the localhost web server. So if updating is an option for you, that's probably best. (I have no info about the RingCentral version.) See https://blog.zoom.us/wordpress/2019/07/08/response-to-video-on-concern/

However, even after updating, the info on this page about Chrome/Firefox config is still useful since you can still be auto-joined to a meeting. For most people, this is probably not a huge deal since it’s pretty obvious when Zoom starts on your desktop. But someone could potentially see your video until you leave that meeting (if your default Zoom config is to show your video). To change your default video settings, see https://support.zoom.us/hc/en-us/articles/203024649-Video-Or-Microphone-Off-By-Attendee

To test your config, you can use the proof of concept link from the original article on medium.com.
Article: https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5
Proof of concept link (intentionally broken here, you need to copy/repair the link yourself to use it): https://jlleitschuh DOT org/zoom_vulnerability_poc/zoompwn_iframe.html

Thanks @karanlyons for putting this guide together. I was able to confirm I've got the patches from .

Love your writing style! 💯

Can you explain how to "Navigate to chrome://version/ " on mac?

If you enter that URL into your address bar and hit enter you should load up a page with some text giving you some handy information.

Thanks @karanlyons! This line did the trick: softwareupdate -ia --include-config-data

In case it helps anyone else, for this step:

Find any and all MRTConfigData related updates (such as MRTConfigData_10_14-1.4), and install them with softwareupdate -i [package_name]

I found that the package name needed was MRTConfigData_10_14-1.47 (there's a typo in the gist, missing the final "7" AFAICT), and it was necessary to specify --include-config-data even on the specific package install, ie:

softwareupdate -i MRTConfigData_10_14-1.47 --include-config-data

worked. (Of note, the install process took several seconds -- after the download --- possibly the MRT does a scan immediately when its config data is updated.)

Thanks for writing up the steps to check if the update was installed, and to install it manually if needed.

Ewen

ewen@ashram:~$ softwareupdate --list --include-config-data
Software Update Tool

Finding available software
Software Update found the following new or updated software:
   * MRTConfigData_10_14-1.47
	MRTConfigData (1.47), 4035K [recommended]
ewen@ashram:~$ softwareupdate -i MRTConfigData_10_14-1.47
Software Update Tool

MRTConfigData_10_14-1.47: No such update
No updates are available.
ewen@ashram:~$ softwareupdate -i MRTConfigData_10_14-1.4
Software Update Tool

MRTConfigData_10_14-1.4: No such update
No updates are available.
ewen@ashram:~$ softwareupdate -i MRTConfigData_10_14-1.47 --include-config-data
Software Update Tool


Downloading MRTConfigData
Downloaded MRTConfigData
Installing MRTConfigData
Done with MRTConfigData
Done.
ewen@ashram:~$ 

@ewenmcneill Thanks for catching the typo, should be fixed now.

is this not necessary anymore with Chrome version 77 ~ latest?

This isn't necessary since late July when Zoom fixed the issue.

Thank you very much for telling, @JLLeitschuh