Fixes for Zoom, RingCentral, Zhumu (and additional white labels) RCE vulnerabilities

zoom_fix.md

(Subscribe to this gist for any updates as we get them.)

If you're using macOS, Apple has pushed an update that will remove the 14 known web servers for you. To check if you already have it:

/usr/bin/defaults read /System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString

If the latest version you have installed is 1.47, you should be secure against the vulnerability in these applications. If necessary, you may run an MRT scan yourself:

sudo /System/Library/CoreServices/MRT.app/Contents/MacOS/mrt -a

If your latest version is for some reason out of date, you can force an update of MRTConfigData:

1. Run softwareupdate --list --include-config-data
2. Find any and all MRTConfigData related updates (such as MRTConfigData_10_14-1.47), and install them with softwareupdate -i [package_name] --include-config-data

or

1. Force an install of all available updates: softwareupdate -ia --include-config-data

The latest versions of both Zoom and RingCentral will also remove the servers themselves, so if you still have either application installed, check to be sure it's up to date.

---

To remove all the known daemons manually, run these commands in your Terminal:

# Removed by MRT 1.45
rm -rf ~/.zoomus; touch ~/.zoomus && chmod 555 ~/.zoomus; pkill "ZoomOpener"

# Removed by MRT 1.46
rm -rf ~/.ringcentralopener; touch ~/.ringcentralopener && chmod 555 ~/.ringcentralopener; pkill "RingCentralOpener"
rm -rf ~/.telusmeetingsopener; touch ~/.telusmeetingsopener && chmod 555 ~/.telusmeetingsopener; pkill "TelusMeetingsOpener"
rm -rf ~/.btcloudphonemeetingsopener; touch ~/.btcloudphonemeetingsopener && chmod 555 ~/.btcloudphonemeetingsopener; pkill "BTCloudPhoneMeetingsOpener"
rm -rf ~/.officesuitehdmeetingopener; touch ~/.officesuitehdmeetingopener && chmod 555 ~/.officesuitehdmeetingopener; pkill "OfficeSuiteHDMeetingOpener"
rm -rf ~/.attvideomeetingsopener; touch ~/.attvideomeetingsopener && chmod 555 ~/.attvideomeetingsopener; pkill "ATTVideoMeetingsOpener"
rm -rf ~/.bizconfopener; touch ~/.bizconfopener && chmod 555 ~/.bizconfopener; pkill "BizConfOpener"
rm -rf ~/.huihuiopener; touch ~/.huihuiopener && chmod 555 ~/.huihuiopener; pkill "HuihuiOpener"
rm -rf ~/.umeetingopener; touch ~/.umeetingopener && chmod 555 ~/.umeetingopener; pkill "UMeetingOpener"
rm -rf ~/.zhumuopener; touch ~/.zhumuopener && chmod 555 ~/.zhumuopener; pkill "ZhumuOpener"
rm -rf ~/.zoomcnopener; touch ~/.zoomcnopener && chmod 555 ~/.zoomcnopener; pkill "ZoomCNOpener"

# Removed by MRT 1.47
rm -rf ~/.accessionmeetingopener; touch ~/.accessionmeetingopener && chmod 555 ~/.accessionmeetingopener; pkill "AccessionMeetingOpener"
rm -rf ~/.videoconferenciatelmexopener; touch ~/.videoconferenciatelmexopener && chmod 555 ~/.videoconferenciatelmexopener; pkill "VideoConferenciaTelmexOpener"
rm -rf ~/.earthlinkmeetingroomopener; touch ~/.earthlinkmeetingroomopener && chmod 555 ~/.earthlinkmeetingroomopener; pkill "EarthLinkMeetingRoomOpener"

These commands do the same thing for each of the known white labels of Zoom. They remove the web server if it exists at the hidden directory, and create an empty file and set permissions on it such that the hidden server cannot be reinstalled back to that location. Finally they kill the server if it is running.

---

If you're using Safari on macOS you're now good to go. However if you're using any other browser (even on other operating systems) you may still see a link immediately open Zoom (or another app) for you. This is not the same vulnerability (no RCE), and is in fact one you yourself opted into, though you may not have realized it. This will occur if you ever checked a box on a pop-up window for a Zoom meeting link that said something like "Always open these links in Zoom".

Here's how to undo that.

For Chrome:

1. Navigate to chrome://version/ and find the path listed under "Profile Path".
2. Quit Chrome, open that directory, and then open the "Preferences" file.
3. This is a JSON file. Look for the strings similar to "zoommtg":false, "zoomrc":false, "zhumu":false, or whatever likely coincides with your white labelled application. If either exist, remove them. If there is a comma immediately after either string, remove it as well.
4. Save the file.

For Firefox:

1. Open Firefox's Preferences.
2. Search for the string Applications using "Find in Preferences".
3. If you see a table with the headers "Content Type" and "Action", find the rows labeled zoommtg, zoomrc, or zhumu, or whatever likely coincides with your white labelled application. If any exist, set their action to "Always ask"

In any case, refrain from checking the box in a modal dialog to opt you back into this behavior in the future. Safari is currently the only known popular browser to not allow you to shoot yourself in the foot this way.

---

If you are aware of any other rebranded Zoom applications not covered here, please let me know.

Running something like lsof +c 15 -i :19400-19500 (look for any FooOpeners) or using the below yara rules may find more. If you find any not in this list, please email, tweet, or call me so we can investigate it further.

ZoomDaemon.yara

private rule Macho
{
    meta:
        description = "private rule to match Mach-O binaries (copied from Apple's XProtect)"
    condition:
        uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca
}

rule ZoomDaemon
{
    meta:
        description = "ZoomDaemon and its whitelabels"
    strings:
        $ = "zLocalHostWrapper"
        $ = "ZMClientHelper"
        $ = "ZMLocalHostMgr"
    condition:
        Macho and all of them
}

@ewenmcneill Thanks for catching the typo, should be fixed now.

is this not necessary anymore with Chrome version 77 ~ latest?

This isn't necessary since late July when Zoom fixed the issue.

Thank you very much for telling, @JLLeitschuh