Zoom patches XMPP vulnerability chain that could lead to remote code execution

Zoom users are advised to update their clients to version 5.10.0 to patch a number of holes found by Google Project Zero security researcher Ivan Fratric.

“User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol,” Fratric said in a bug tracker description of the chain.

Looking at the way XMPP messages are parsed differently by Zoom’s server and clients, since they use different XML parsing libraries, Fratric was able to uncover an attack chain that ultimately could lead to remote code execution.

If a specially crafted message was sent, Fratric was able to trigger clients into connecting to a man-in-the-middle server that served up an old version of the Zoom client from mid-2019.

“The installer for this version is still properly signed, however it does not do any security checks on the .cab file,” Fratric said.

“To demonstrate the impact of the attack, I replaced Zoom.exe in the .cab with a binary that just opens Windows Calculator app and observed Calculator being opened after the ‘update’ was installed.”

In its security bulletin published last week, Zoom said the security researcher also found a way to send user session cookies to a non-Zoom domain, which could allow for spoofing.

The CVE-2022-22786 vulnerability that allowed for downgrading the client only impacted Windows users, while the other three issues — CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 — impacted Android, iOS, Linux, macOS, and Windows.

Fratric discovered the vulnerabilities in February, with Zoom patching its server-side issues the same month, and releasing updated clients on April 24.

Related Coverage