Zoom Client before 4.4.2 Improper Input Validation Vulnerability
In the Zoom Client before 4.4.2 on macOS, remote attackers can cause a denial of service (continual focus grabs) via a sequence of invalid launch?action=join&confno= requests to localhost port 19421.
The information has been provided by Jonathan Leitschuh
Chrome allows CORS bypass on image requests made against localhost
This was originally discovered while researching a security vulnerability in a very popular piece of video conferencing software (similar to Skype for Business or Google Hangouts).
The infrastructure of this video conferencing software allows a user to send meeting invites as links to participants.
When participants click the link, it is opened in their browser and the browser is able to launch the user into a video call by opening the companies software on their local machine.
This process only requires the user to have installed the software on their computer, there’s no need for the user to have installed an external chrome plugin.
http://localhost:19421/launch?action=join&confno=[some confrence number]
In order to bypass this protection, the company instead used the loading of an image.
The screenshot attached shows the pseudo-case-switch statement they use to convey information from the localhost server to the Javscript running in the browser.
For example, a 1×1 image response indicates a sucsess.
This vulnerability can be abused to forcibly join someone to a video call using the following HTML:
Using this vulnerability, any website can effectively DOS a users machine with the following HTML:
var attackNumber = “614249281”
var image = document.createElement(“img”);
// Use a date to bust the browser’s cache
var date = new Date();
image.src = “http://localhost:19421/launch?action=join&confno=“ + attackNumber + “&” + date.getTime();
Using the vulnerability described above, a malicious attacker is able to forcibly join anyone with the vulnerable software installed (a majority of users) into a video call with their camera active by default. No user interaction required besides navigating to an impacted site.
It’s important to note, that the company with the impacted software has over 650,000 business customers and over 85% of the top 200 US universities. As of 2015, they had over 35 million active users.
Zoom Client before 4.4.2 on macOS