Zoom has become a crucial tool for faraway workers, family, and friends since the COVID-19 pandemic. At the Black Hat security conference in Las Vegas, a researcher showed how he utilised Zoom to manage a target’s computer.
Ivan Fratric, a Google Project Zero security researcher, asked the crowd who was thrilled about XML and received minimal enthusiasm. “When XML was young, I was a young computer science student and I wasn’t excited about it back then either,” stated Fratric.
“Fast forward two decades later I’m finally excited about XML for all the wrong reasons.”
Fratric exploited various issues to do nasty things to XMPP. XMPP “Essentially an instant messaging protocol based on XML,” said Fratric. “When something is built on technology that’s over two decades old, you know it’s a good target for security research.”
Fratric found he could put XMPP stanzas inside other stanzas. He might use a client to transmit a smuggled stanza within a legal message, which the intermediary server would accept and relay but the target’s IM client would perceive as two stanzas.
“XML is complicated and XML parsers have quirks.” said Fratric. Two XML parsers can read the same code differently and occasionally improperly. Some of his attacks required two faulty XML parsers, while others affected only one.
Fratric’s assaults spoofed messages, so targets received messages from someone else. He could divert XMPP traffic to another server to observe all target messages. Fratric wanted to remotely execute code on a target’s PC utilising these vulnerabilities.
Fratric used Zoom to demonstrate how to deliver an instant message between clients. The target’s client got XMPP code that routed Zoom’s auto-update mechanism to Fratric’s server.
Zoom checks updates in a two-stage process, however Fratric found that an older version of the Zoom client (v.4.4) skipped the second step. Fratric may pass along a modified 4.4 client and install it with his malicious payload on the target’s computer.
Some conditions applied. The target has to restart Zoom twice for the attack to work—once to trigger auto-update and again to install the infected update. Fratric calls this a “zero click” attack because everyone reboots eventually. Fratric: “If you don’t do that, you have bigger problems than a Zoom exploit,”
Zoom Is Safe
Fratric reported his findings to Zoom, which produced patches. He commended the company for addressing his concerns.
XMPP is utilised in online gaming and industrial controls, he said. Some flaws he found affecting Zoom affect other targets.
“I think that these stanza-smuggling attacks are a pretty underexplored attack surface,” added Fratric. “I was able to find many different bugs in different targets, and unfortunately the way XMPP protocol is designed makes it easy to introduce and find bugs like this.”
He implied this discussion didn’t cover all his discoveries. Fratric said, “I can neither confirm nor deny that there are other bugs not listed in this slide.”