Since the beginning of the COVID-19 pandemic, Zoom has become an essential tool for remote workers, families, and friends to meet almost face-to-face. At the Black Hat security conference in Las Vegas, one security researcher demonstrated how he used the technology underlying Zoom and other applications to completely control a target’s computer.
Ivan Fratric, a Security Researcher with Google Project Zero, began his talk by asking the audience who was excited about XML, and received what this reporter interpreted as mild enthusiasm. “When XML was young, I was a young computer science student and I wasn’t excited about it back then either,” said Fratric.
“Fast forward two decades later I’m finally excited about XML for all the wrong reasons.”
That’s because Fratric was able to track down several bugs that when exploited allowed him to do all kinds of wonderfully terrible things to XMPP. What’s XMPP? “Essentially an instant messaging protocol based on XML,” explained Fratric. “When something is built on technology that’s over two decades old, you know it’s a good target for security research.”
What Fratric discovered was that he could embed chunks of XMPP code, called stanzas, inside of other XMPP stanzas. He could then use a client to send a smuggled stanza within a legitimate message, have it be accepted and relayed by the intermediate server, but interpreted as two stanzas by the target’s instant message client.
Fratric explained that all this was possible because, “XML is complicated and XML parsers have quirks.” Those quirks being that two XML parsers can interpret the same code differently, and sometimes both do so incorrectly. Some of his attacks required two specific XML parsers that are uniquely bad when used together, while others affect all uses of just one parser.
With his attacks, Fratric was able to spoof messages, meaning that targets would receive messages that appeared to come from someone else. He could also redirect XMPP traffic to another server, allowing him to see all the messages going to and from his target. That’s already distressing, but Fratric was interested in using these vulnerabilities to remotely execute code on a target’s machine.
Using Zoom as an example, Fratric showed how he was able to send an instant message from one Zoom client to another. The target’s client received the smuggled XMPP code that redirected Zoom’s auto-update mechanism to use Fratric’s server instead of the official Zoom server.
Zoom, smartly, verifies the validity of updates in a two-step process, but Fratric discovered that an older version of the Zoom client (v.4.4) was officially signed by Zoom but skipped the second step of verification. This meant Fratric could pass along a modified version of the 4.4 client and have it installed and run along with his malicious payload on the target’s computer.
There were a few caveats. Primarily that the target needed to restart the Zoom client twice for the attack to work—once to trigger the auto-update mechanism and again to trigger the installation of the infected update. Fratric said he still considers this a “zero click” attack since everyone has to reboot their computer at some point. “If you don’t do that, you have bigger problems than a Zoom exploit,” said Fratric.
Don’t Worry, Zoom Is Probably Safe
Fortunately for everyone working from home, Fratric reported his discoveries to Zoom, and patches have already been issued. He praised the company for taking his findings seriously and for issuing comprehensive fixes.
Recommended by Our Editors
Still, he pointed out that XMPP is used in a myriad of other contexts, from online games to industrial controls. Some of the bugs he found that affected Zoom affect other targets as well.
“I think that these stanza-smuggling attacks are a pretty underexplored attack surface,” said Fratric. “I was able to find many different bugs in different targets, and unfortunately the way XMPP protocol is designed makes it easy to introduce and find bugs like this.”
He also insinuated that this talk didn’t cover all of his discoveries. While showing a slide that outlined the bugs he reported, Fratric quipped, “I can neither confirm nor deny that there are other bugs not listed in this slide.”
Keep reading PCMag for the latest from Black Hat.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.