[Thread]
The kind folk at http://www.cyber-itl.org shared a new @zoom_us security issue with me.
I want to take this opportunity to describe:
The issue
How Zoom et al should fix it
How purchasers should identify it before corporate purchasing
What individuals should do
1/
-
Show this thread
-
Zoom has been in the news for security issues a lot lately. I’m choosing to share this info because Zoom has been very good in responding to security researchers and security problems. It is apparent they care now... but how bad is their security deficit? Let’s quantify 2/
1 reply 11 retweets 79 likesShow this thread -
To avoid adding to the FUD let me state this up front: If you use Zoom at home for personal reasons to remain connected to loved ones during the pandemic - that’s very important. You should probably continue using the product. Hopefully Zoom will update and improve. 3/
4 replies 19 retweets 108 likesShow this thread -
CITL took a look at the Linux Zoom software and frankly it is surprisingly security deficient. I mean *surprisingly* deficient!
@m0thran did the analysis I’m about to share. (You should follow him) Let’s quantify the issue and then show what to do about it. 4/8 replies 27 retweets 98 likesShow this thread -
The Linux Zoom binary is 42M (!), is at /opt/zoom/zoom, and version is 3.5.383291.0407. It lacks so many base security mitigations it would not be allowed as a target in many Capture The Flag contests. Linux Zoom would be considered too easy to exploit! How do we know? 5/
4 replies 58 retweets 156 likesShow this thread -
CITL uses their own software tools that aren’t open source (yet), you can find free software with a subset of their checks. The Linux checksec shell script works fine for this. Notice the binary lacks DEP/ASLR/Canaries/Fortification/RO section orders [
@wdormann image] 6/pic.twitter.com/UA2mYM6L0g
3 replies 16 retweets 108 likesShow this thread -
The absence of these basic security and safety attributes make make the application exceedingly easy to exploit. I’ll show coding vulnerabilities in a bit). Disabling all of them is impressive. Perhaps Zoom using a 5 year out of date development environment helps (2015). 7/
5 replies 8 retweets 83 likesShow this thread -
It’s not hard to find vulnerable coding in the product either. Here’s an example of grabbing an untrusted environment variable and handing it to the insecure popen(3) function for execution [
@m0thran ] There are plenty of secure-coding-101 flaws here. 8/pic.twitter.com/D2FadPn1OD
6 replies 14 retweets 99 likesShow this thread -
Sorry, what?
$HOME is an "untrusted" environment variable? It is perfectly normal for$HOME to lead to code exec *by design*, e.g. because it is used to locate a config file that can specify paths to dynamic libraries. This is like complaining about a vuln in LD_PRELOAD parsing.4 replies 6 retweets 40 likes
Sure, coding it this way is gross and wrong, but the unsanitized input is not attacker-controllable as you suggested
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.