Zoom Company Audit
People
Eric S Yuan
- Email: ericsyuan2011@gmail.com
- Password leaks:
- “Data Enrichment Records” leak (2016)
- Dropbox (2012)
- Experian (2015)
- Kickstarter (2014)
- LinkedIn (2012)
- SMS 2FA
- Bypass allowed with security questions
- Security Question #1: “What is your hometown?”
- Answer: Shandong
- Security Question #2: “What is the phone number registered with your account?”
- Answer: 1.4084838813
- Password leaks:
Domains
Zoom.us
- Registrar: Godaddy
- Registrant email: ericsyuan2011@gmail.com
- HPKP: Disabled
- Enabling with a false certificate could be used for a long term DoS
- HSTS: Broken
- Preloading is not enabled
- Enabling preloading with a false cert could cause long term DoS
- max-age is invalid
- No includeSubDomains directive
- Preloading is not enabled
Conclusion
Complete takeover of DNS is probably possible due to weak registrant email security.
Zoom Controller Audit
Access
wget http://hybridupdate.zoom.us/latest/controller/system.vmdk
qemu-img convert -f vmdk -O raw system.vmdk zoom.img
mount -o loop zoom.img /mnt/zoom
mkdir /mnt/zoom
sudo mount -o loop,offset=1209008128 zoom.img /mnt/zoom
sudo mount -o loop,offset=135266304 zoom.img /mnt/zoom/boot
Evaluation
General Observations
- OS image is http downloaded by default
- No OS image signing/verification
- Potential to MITM inject malicious firmware
- Linux 2.6.2 kernel
- Released in 2004
- 493 Published Vulnerabilities
- https://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/version_id-12834/Linux-Linux-Kernel-2.6.2.html
- No bootloader protection
- Can easily walk up to machine and add init=/bin/bash to grub for root shell
- root password is set to a default /etc/passwd
- AWS/GPG credentials in /opt/s3/s3cfg
- SSH Host private keys in /etc/ssh
- SSB Private keys/certs in /opt/zoom/conf
- Cached copies of image provisioning scripts in /tmp
- Contains details about internal Zoom network resources
- Login portal served from /mnt/zoom/opt/vmware/share/htdocs
- Web portal served with vami-lighttpd 1.4.29
- TLS key is randomly generated, with no pinning
- TLS 1.0 and known weak ciphers via CVE-2013-4508
Interesting Binaries
/opt/zoom/bin/mmr
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 ELF, 32-bit LSB executable, Intel 80386, version 1 (SYSV)
5428764 0x52D61C Unix path: /usr/local/ssl/private
17438464 0x10A1700 Unix path: /App/nydus/source/fec
17464125 0x10A7B3D Unix path: /App/nydus/source/utilities
20058184 0x1321048 Unix path: /home/official/zoomdm/Common/platform/tp/src
31247778 0x1DCCDA2 mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
31330762 0x1DE11CA mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
31330786 0x1DE11E2 mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
/opt/zoom/bin/zctrl
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 ELF, 32-bit LSB executable, Intel 80386, version 1 (SYSV)
2283 0x8EB mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
4325334 0x41FFD6 Unix path: /../Common/platform/util/h/stream.h
4329700 0x4210E4 Unix path: /../Common/web/meeting.pb.h
4361314 0x428C62 Unix path: /../Common/web/meeting.pb.cc
4377110 0x42CA16 Unix path: /../Common/platform/conf/zc_pdu.cpp
4393898 0x430BAA Unix path: /../../platform/util/h/defer_op.hpp
15312206 0xE9A54E Unix path: /home/official/zoomdm/Platform/zc
17048860 0x104251C Unix path: /home/official/zoomdm/Common/platform/util/src
16341448 0xF959C8 Unix path: /../Common/web/meeting.pb.cc
Other paths from strings:
- /home/official/zoomdm/Common/awssdk
- /home/official/zoomdm/Common/platform/tp/src
- /home/official/zoomdm/Common/platform/util/src
/opt/zoom/bin/mlar
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 ELF, 32-bit LSB executable, Intel 80386, version 1 (SYSV)
2207452 0x21AEDC Unix path: /usr/local/ssl/private
5316039 0x511DC7 Unix path: /home/rola/svn/trunk/Platform/mlar
Browser Plugin
- Full access to browser history and *.zoom.com and calendar.google.com domains
- Unrestricted TCP access on 0.0.0.0 (Should only need localhost and a single port or two at most.)
- Jquery 2.1.4
- 3 years old
- Not needed at all in chrome which provides all the needed APIs in native javascript
- Known XSS and DoS vulns https://snyk.io/test/npm/jquery/2.1.4