Zoom Endpoint-Security Considerations

栏目: IT技术 · 发布时间: 4年前

内容简介:What I keep hearing these days is:"We/I do not use Zoom for confidential conversations."But what if someone does not only care about the confidentiality of a Zoom-session but also about the integrity of his or her own endpoint device? It’s not only the spo

Who put the "Zoo" in "Zoom"?

What I keep hearing these days is:

"We/I do not use Zoom for confidential conversations."

Zoom Endpoint-Security Considerations

But what if someone does not only care about the confidentiality of a Zoom-session but also about the integrity of his or her own endpoint device? It’s not only the spoken word of a group within a Zoom session that is at stake – it is also the integrity and confidentiality of everything a conference participant has stored on their computer.

Thus, I spent two evenings (I think around 5-6h in total), looking at Zoom for Windows. Statically only – I did not perform a runtime analysis. In this report I summarize what I have seen. I’m pretty confident that this is only the tip of the iceberg. Just imagine what could be possible for a security analyst with time and a budget… I explicitly did not look for everything that is related to the disclosure of sensitive information to 3rd-party (e. g. leaking information to Facebook ).

This report is very superficial and does not go into detail. This is because I did this in my spare-time and I do not intend to spend more time on this. My goal is to point out the overall code quality and secure programming guidelines, as well as existing or missing software maintenance (which is necessary especially when using lots of 3rd-party libraries).

*

Ancient 32-Bit application

Seriously? Why?! Windows is shipped with 64-Bit support and various security enhancements for 64-Bit CPUs since Windows 7. That was 2009, eleven years ago. These days, even Windows 7 is End-of-Life. 2020 Zoom still ships (only) 32-Bit applications on Windows.

zData.dll

Usage of components with known vulnerabilities: OpenSSL

zData.dll uses an outdated OpenSSL library: OpenSSL 1.0.2o 27 Mar 2018

OpenSSL 1.0.2 is EOL (End Of Life) since December 2019. There are known vulnerabilities that won’t get fixed anymore.

Current project status:

Zoom Endpoint-Security Considerations
see: https://www.openssl.org/policies/releasestrat.html

or

Zoom Endpoint-Security Considerations
see: https://endoflife.software/applications/security-libraries/openssl

Concatenation of SQL Statements

In zData.dll, an SQLite backend is used to store various session data and configuration into an encrypted SQLite database. At several occasions in the code, SQL-statements are apparently simply concatenated, as illustrated below:

Example 1:

Zoom Endpoint-Security Considerations

Example 2:

Zoom Endpoint-Security Considerations

Depending on the implementation of the += operator, zData.dll potentially abets SQL injection vulnerabilities that can lead to information disclosure or execution of arbitrary code on Zoom-endpoints.

Ah, well, and… is this, by any chance, a z oom c ryptographic d ecryption k ey for the encrypted SQLite database?

Zoom Endpoint-Security Considerations

I really don’t know. :-) However, encrypting the SQL database does not prevent someone from getting access to sensitive data that is stored in these databases. It seems like Zoom uses SQLite database for storing history-records, logs and probably also sensitive data such as passwords and/or cryptographic keys. I did not dive deeper into the usage of SQLite as a data-container, but it’s probably worth an exercise for the curious reader.

Zzhost.dll

Potential buffer overflow

While looking at the import tables of the binary, I stumbled across an sprintf() call… sprintf() is a potentially dangerous function and compilers issue warnings if a function like sprintf is used. It seems like such warnings are not bothering the Zoom developers.

Zoom Endpoint-Security Considerations

To successfully exploit a vulnerability like this, it is necessary to control the contents of the source-buffer. I did not verify if malicious users can take control over the contents of this buffer. As this is a logging function, it might be possible for arbitrary attackers to influence the contents of the source buffer. Yet again, it may not be possible. Nonetheless, even opening this opportunity is very bad coding practice.

zCrashReport.exe

Windows Registry dump

Windows Registry contains quite some sensitive information, especially when accessed via a process running under privileged rights.

I found these strings:

Zoom Endpoint-Security Considerations

"Dumping registry keys" sounds like a malicious function to me, so I tried to figure out if it is actually enumerating Windows registry keys and values. Indeed, this led me to Windows registry enumeration functions, e. g.:

Zoom Endpoint-Security Considerations

Screen Capture Function in Crash Reporter

zCrashReport.dll exposes the following functions:

Zoom Endpoint-Security Considerations

In crashReport.exe, operating system’s APIs that are relevant for capturing whole screens and windows are used.

Zoom Endpoint-Security Considerations

Does Zoom submit screen-captures to their servers? This would be close about to be classified as malware.

Airhost.exe

Usage of components with known vulnerabilities

Airhost.exe uses libcurl Version 7.36.0. This version has known vulnerabilities.

Zoom Endpoint-Security Considerations
see: https://curl.haxx.se/docs/vuln-7.36.0.html

curl depends on libssh. The libssh2 library that is present in airhost.exe has known vulnerabilities as well:

Zoom Endpoint-Security Considerations
see: https://www.securityfocus.com/bid/107485/info

These vulnerabilities may not be exposed or exploitable in the context of the zoom app. Nonetheless, why would you use outdated and vulnerable libraries if you cared about your code at all? It’s easier to use the latest version than to assess whether the vuln affects your app.

Airhost encryption/decryption with hardcoded passphrase

airhost.exe uses a constant value as key for symmetric encryption: The SHA256 output of string “0123425234234fsdfsdr3242” is used to initialize an OpenSSL EVP AES 256 CBC context for encryption and decryption of data. To initialize the AES context, the string “3423423432325249” is used as constant IV.

Zoom Endpoint-Security Considerations
see: https://cwe.mitre.org/data/definitions/321.html

Airhost AES256 CBC encryption with constant IV

Zoom Endpoint-Security Considerations
see: https://cwe.mitre.org/data/definitions/329.html

zWebService.dll and tp.dll

Usage of components with known vulnerabilities

zWebService.dll & tp.dll use libcurl 7.55.1.

Even though this libcurl library is not as old as the one linked into airhost.exe, it is still pretty outdated. If you care about endpoint-security, here’s a list of the vulnerabilities:

Zoom Endpoint-Security Considerations
see https://curl.haxx.se/docs/vuln-7.55.1.html

turbojpeg.dll

Usage of components with known vulnerabilities

Turbojpeg.dll uses libjpeg-turbo version 2.0.0 (build 20190715)

Remote Code Execution vulnerabilities in turbojpeg/libjpeg-turbo

Zoom Endpoint-Security Considerations
see: https://www.cybersecurity-help.cz/vdb/SB2019111918

T.B.C.?

At this point in time I realized that I have to stop my excursion into the code base. You’re welcome.


以上所述就是小编给大家介绍的《Zoom Endpoint-Security Considerations》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

离散数学及其应用(英文版·第5版)

离散数学及其应用(英文版·第5版)

Kenneth H.Rosen / 机械工业出版社 / 2003 / 79.00元

本书第4版是全球500多所大学的指之一教材,获得了极大的成功。中文版也已被国内大学广泛有用为教材。第5版在前四版的基础上做了大量的改进,使其成为更有效的教学工具。   本书可作为1至2个学期的离散数学课入门教材,适用于数学、计算机科学、工程等专业的学生。一起来看看 《离散数学及其应用(英文版·第5版)》 这本书的介绍吧!

图片转BASE64编码
图片转BASE64编码

在线图片转Base64编码工具

UNIX 时间戳转换
UNIX 时间戳转换

UNIX 时间戳转换

HSV CMYK 转换工具
HSV CMYK 转换工具

HSV CMYK互换工具