Skip to content

Instantly share code, notes, and snippets.

@karanlyons
Last active August 5, 2024 23:37
Show Gist options
  • Save karanlyons/1fde1c63bd7bb809b04323be3f519f7e to your computer and use it in GitHub Desktop.
Save karanlyons/1fde1c63bd7bb809b04323be3f519f7e to your computer and use it in GitHub Desktop.
Fixes for Zoom, RingCentral, Zhumu (and additional white labels) RCE vulnerabilities

(Subscribe to this gist for any updates as we get them.)

If you're using macOS, Apple has pushed an update that will remove the 14 known web servers for you. To check if you already have it:

/usr/bin/defaults read /System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString

If the latest version you have installed is 1.47, you should be secure against the vulnerability in these applications. If necessary, you may run an MRT scan yourself:

sudo /System/Library/CoreServices/MRT.app/Contents/MacOS/mrt -a

If your latest version is for some reason out of date, you can force an update of MRTConfigData:

  1. Run softwareupdate --list --include-config-data
  2. Find any and all MRTConfigData related updates (such as MRTConfigData_10_14-1.47), and install them with softwareupdate -i [package_name] --include-config-data

or

  1. Force an install of all available updates: softwareupdate -ia --include-config-data

The latest versions of both Zoom and RingCentral will also remove the servers themselves, so if you still have either application installed, check to be sure it's up to date.


To remove all the known daemons manually, run these commands in your Terminal:

# Removed by MRT 1.45
rm -rf ~/.zoomus; touch ~/.zoomus && chmod 555 ~/.zoomus; pkill "ZoomOpener"

# Removed by MRT 1.46
rm -rf ~/.ringcentralopener; touch ~/.ringcentralopener && chmod 555 ~/.ringcentralopener; pkill "RingCentralOpener"
rm -rf ~/.telusmeetingsopener; touch ~/.telusmeetingsopener && chmod 555 ~/.telusmeetingsopener; pkill "TelusMeetingsOpener"
rm -rf ~/.btcloudphonemeetingsopener; touch ~/.btcloudphonemeetingsopener && chmod 555 ~/.btcloudphonemeetingsopener; pkill "BTCloudPhoneMeetingsOpener"
rm -rf ~/.officesuitehdmeetingopener; touch ~/.officesuitehdmeetingopener && chmod 555 ~/.officesuitehdmeetingopener; pkill "OfficeSuiteHDMeetingOpener"
rm -rf ~/.attvideomeetingsopener; touch ~/.attvideomeetingsopener && chmod 555 ~/.attvideomeetingsopener; pkill "ATTVideoMeetingsOpener"
rm -rf ~/.bizconfopener; touch ~/.bizconfopener && chmod 555 ~/.bizconfopener; pkill "BizConfOpener"
rm -rf ~/.huihuiopener; touch ~/.huihuiopener && chmod 555 ~/.huihuiopener; pkill "HuihuiOpener"
rm -rf ~/.umeetingopener; touch ~/.umeetingopener && chmod 555 ~/.umeetingopener; pkill "UMeetingOpener"
rm -rf ~/.zhumuopener; touch ~/.zhumuopener && chmod 555 ~/.zhumuopener; pkill "ZhumuOpener"
rm -rf ~/.zoomcnopener; touch ~/.zoomcnopener && chmod 555 ~/.zoomcnopener; pkill "ZoomCNOpener"

# Removed by MRT 1.47
rm -rf ~/.accessionmeetingopener; touch ~/.accessionmeetingopener && chmod 555 ~/.accessionmeetingopener; pkill "AccessionMeetingOpener"
rm -rf ~/.videoconferenciatelmexopener; touch ~/.videoconferenciatelmexopener && chmod 555 ~/.videoconferenciatelmexopener; pkill "VideoConferenciaTelmexOpener"
rm -rf ~/.earthlinkmeetingroomopener; touch ~/.earthlinkmeetingroomopener && chmod 555 ~/.earthlinkmeetingroomopener; pkill "EarthLinkMeetingRoomOpener"

These commands do the same thing for each of the known white labels of Zoom. They remove the web server if it exists at the hidden directory, and create an empty file and set permissions on it such that the hidden server cannot be reinstalled back to that location. Finally they kill the server if it is running.


If you're using Safari on macOS you're now good to go. However if you're using any other browser (even on other operating systems) you may still see a link immediately open Zoom (or another app) for you. This is not the same vulnerability (no RCE), and is in fact one you yourself opted into, though you may not have realized it. This will occur if you ever checked a box on a pop-up window for a Zoom meeting link that said something like "Always open these links in Zoom".

Here's how to undo that.

For Chrome:

  1. Navigate to chrome://version/ and find the path listed under "Profile Path".
  2. Quit Chrome, open that directory, and then open the "Preferences" file.
  3. This is a JSON file. Look for the strings similar to "zoommtg":false, "zoomrc":false, "zhumu":false, or whatever likely coincides with your white labelled application. If either exist, remove them. If there is a comma immediately after either string, remove it as well.
  4. Save the file.

For Firefox:

  1. Open Firefox's Preferences.
  2. Search for the string Applications using "Find in Preferences".
  3. If you see a table with the headers "Content Type" and "Action", find the rows labeled zoommtg, zoomrc, or zhumu, or whatever likely coincides with your white labelled application. If any exist, set their action to "Always ask"

In any case, refrain from checking the box in a modal dialog to opt you back into this behavior in the future. Safari is currently the only known popular browser to not allow you to shoot yourself in the foot this way.


If you are aware of any other rebranded Zoom applications not covered here, please let me know.

Running something like lsof +c 15 -i :19400-19500 (look for any FooOpeners) or using the below yara rules may find more. If you find any not in this list, please email, tweet, or call me so we can investigate it further.

private rule Macho
{
meta:
description = "private rule to match Mach-O binaries (copied from Apple's XProtect)"
condition:
uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca
}
rule ZoomDaemon
{
meta:
description = "ZoomDaemon and its whitelabels"
strings:
$ = "zLocalHostWrapper"
$ = "ZMClientHelper"
$ = "ZMLocalHostMgr"
condition:
Macho and all of them
}
@SteveAlexander
Copy link

you're missing a semicolon: rm -rf ~/.ringcentralopener touch ~/.ringcentralopener

@karanlyons
Copy link
Author

@SteveAlexander Thanks so much for catching that! Fixed.

@ewilfong
Copy link

ewilfong commented Jul 9, 2019

Would suggest adding a step to the Chrome instructions to explicitly close Chrome. Otherwise Chrome will overwrite the changes you make to the Preferences file.

@magicalraccoon
Copy link

Thanks for the workaround, great work!

@Ethanb00
Copy link

Ethanb00 commented Jul 9, 2019

automated process for Chrome (in case you have users who aren't savvy with manually editing stuff)
https://gist.github.com/Ethanb00/7cc4ba6200cdfdbcae53136a4c89663d

@salaheldinaz
Copy link

Thanks @karanlyons

@machale
Copy link

machale commented Jul 10, 2019

IIUC, updating to the latest version of Zoom (just released last night/yesterday) will remove the localhost web server. So if updating is an option for you, that's probably best. (I have no info about the RingCentral version.) See https://blog.zoom.us/wordpress/2019/07/08/response-to-video-on-concern/

However, even after updating, the info on this page about Chrome/Firefox config is still useful since you can still be auto-joined to a meeting. For most people, this is probably not a huge deal since it’s pretty obvious when Zoom starts on your desktop. But someone could potentially see your video until you leave that meeting (if your default Zoom config is to show your video). To change your default video settings, see https://support.zoom.us/hc/en-us/articles/203024649-Video-Or-Microphone-Off-By-Attendee

To test your config, you can use the proof of concept link from the original article on medium.com.
Article: https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5
Proof of concept link (intentionally broken here, you need to copy/repair the link yourself to use it): https://jlleitschuh DOT org/zoom_vulnerability_poc/zoompwn_iframe.html

@nuvs
Copy link

nuvs commented Jul 12, 2019

Thanks @karanlyons for putting this guide together. I was able to confirm I've got the patches from .

Love your writing style! 💯

@evejweinberg
Copy link

Can you explain how to "Navigate to chrome://version/ " on mac?

@karanlyons
Copy link
Author

If you enter that URL into your address bar and hit enter you should load up a page with some text giving you some handy information.

@buzzaz
Copy link

buzzaz commented Jul 16, 2019

Thanks @karanlyons! This line did the trick: softwareupdate -ia --include-config-data

@ewenmcneill
Copy link

In case it helps anyone else, for this step:

Find any and all MRTConfigData related updates (such as MRTConfigData_10_14-1.4), and install them with softwareupdate -i [package_name]

I found that the package name needed was MRTConfigData_10_14-1.47 (there's a typo in the gist, missing the final "7" AFAICT), and it was necessary to specify --include-config-data even on the specific package install, ie:

softwareupdate -i MRTConfigData_10_14-1.47 --include-config-data

worked. (Of note, the install process took several seconds -- after the download --- possibly the MRT does a scan immediately when its config data is updated.)

Thanks for writing up the steps to check if the update was installed, and to install it manually if needed.

Ewen

ewen@ashram:~$ softwareupdate --list --include-config-data
Software Update Tool

Finding available software
Software Update found the following new or updated software:
   * MRTConfigData_10_14-1.47
	MRTConfigData (1.47), 4035K [recommended]
ewen@ashram:~$ softwareupdate -i MRTConfigData_10_14-1.47
Software Update Tool

MRTConfigData_10_14-1.47: No such update
No updates are available.
ewen@ashram:~$ softwareupdate -i MRTConfigData_10_14-1.4
Software Update Tool

MRTConfigData_10_14-1.4: No such update
No updates are available.
ewen@ashram:~$ softwareupdate -i MRTConfigData_10_14-1.47 --include-config-data
Software Update Tool


Downloading MRTConfigData
Downloaded MRTConfigData
Installing MRTConfigData
Done with MRTConfigData
Done.
ewen@ashram:~$ 

@karanlyons
Copy link
Author

@ewenmcneill Thanks for catching the typo, should be fixed now.

Copy link

ghost commented Apr 16, 2020

is this not necessary anymore with Chrome version 77 ~ latest?

@JLLeitschuh
Copy link

This isn't necessary since late July when Zoom fixed the issue.

Copy link

ghost commented Apr 16, 2020

Thank you very much for telling, @JLLeitschuh

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment