This report describes a vulnerability chain that enables a malicious user to compromise another user over Zoom chat. User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol. Initial vulnerability (labeled XMPP Stanza Smuggling) abuses parsing inconsistencies between XML parsers on Zoom's client and server in order to be able to "smuggle" arbitrary XMPP stanzas to the victim client. From there, by sending a specially crafted control stanza, the attacker can force the victim client to connect to a malicious server, thus turning this primitive into a man-in-the-middle attack. Finally, by intercepting/modifying client update requests/responses, the victim client downloads and executes a malicious update, resulting in arbitrary code execution. A client downgrade attack is utilized to bypass signature check on the update installer. This attack has been demonstrated against the latest (5.9.3) client running on Windows 64-bit, however some or all parts of the chain are likely applicable to other platforms.
c5835f3651ef4f351fdd27038787c6bd633712398f3562132cf3224e2a0a5e16Linux usbnet code tells minidrivers to unbind while netdev is still up, causing use-after-free conditions.
9cbdb1ccc149a355b2d267a848a75d3513d0e33cb89787801e49bf0110235f37A use-after-free issue exists in Chrome 100 and earlier versions. A malicious extension can achieve arbitrary code execution in the browser process.
595428413ed6af41648e85f12bfacfc4d3b4b659dea62dab16b66777c9ddb014AppleVideoDecoder suffers from an out-of-bounds free vulnerability. The attached video file contains a malformed HEVC Decoder Configuration Record that leads to an out-of-bounds free in CreateHeaderBuffer. When copying the VPS, PPS and SPS, the destination pointer is incremented, and if the copied data is larger than the length specified in the input file, it breaks and falls through to a condition that frees the destination pointer, even though it has been incremented. This could free the chunk allocated next to the destination memory.
a49f6411c8b8733ea1c031b562f4509169b737f83ae46d802b8cf4aed5bd1cb1Linux suffers from two bugs in PT_SUSPEND_SECCOMP. One allows for permission bypass and the other relates to a ptracer death race.
090e7e5a723be850497afe230306c956241cce0eb429877bf07e8c0f06eb2a40A use-after-free issue exists in Chrome 100 and earlier versions. Processing maliciously crafted web content may lead to arbitrary code execution in the browser process.
84b488e3a4db5db9d8a3df99b628eaaf0e1c8d462ed33ed2d967d6a09c443252BlueZ suffers from a vulnerability where a malicious USB device can steal Bluetooth link keys over HCI using a fake BD_ADDR. It was also discovered that bluetoothd suffers from a double-free memory corruption flaw.
8a1aa43e53f3253ec88afc78d193bedf1f90ff6d4fdbe4fc1be57e91906b1055Linux suffers from a vulnerability where FUSE allows use-after-free reads of write() buffers, allowing theft of (partial) /etc/shadow hashes.
2013a523f6140f5f94778f15578c0f1d52f0a0bddd81e46cc48963fbe8fd4efbThe Linux watch_queue filter suffers from an out of bounds write vulnerability.
48bdbb27c736f9c5dd12453993d4bc23ee38e3c25b3e23faef205b92dcf36f51cmark-gfm, Github's markdown parsing library, is vulnerable to an out-of-bounds write when parsing markdown tables with a high number of columns due to an overflow of the 16bit columns count.
27a5460a6816fd26f0145be9abc1875edcaf581344dee907385de97828a29203Chrome has an issue where a malformed message sent to DeserializeFromMessage may trigger deserialization of out-of-bounds data.
f016c2cc33607e475f4fb0feaf3b97c31f557eea1cb21d5c1b76fc4fa4ad9003Chrome suffers from a heap use-after-free vulnerability in safe_browsing::ThreatDetails::OnReceivedThreatDOMDetails. Versions affected include Google Chrome 96.0.4664.110 (Official Build) (64-bit) and Chromium 99.0.4807.0 (Developer Build) (64-bit).
abc96b3ccb6e22768b4210d82c4a8f2e4acb93ed93b406ea11be905b7b11fd03containerd suffers from an insecure handling vulnerability related to image volumes.
b48bfd4366814227d48303e9535b5ccfe89e805d02c9e299e3b73f9fe15bbda5In Linux, drivers/net/usb/ax88179_178a.c contains multiple out-of-bounds accesses in ax88179_rx_fixup(), the function responsible for taking a buffer received over USB and splitting it up into ethernet packets.
d31f6a101db6dc5fd85ff3bf16404acb26c0969c2cd57cc1adc10f3d4419cf21Chrome suffers from a heap buffer overflow vulnerability in chrome_pdf::PDFiumEngine::RequestThumbnail.
bd3fa3d2b549b50b402df051a6cd94824b4d90a629f0814051f738170796b1e5Chrome suffers from an integer overflow vulnerability in HandleTable::AddDispatchersFromTransit that can lead to memory corruption.
0ef0d4da3c4dc9fb06483f95973add0c92d39c6c630ce2e22e5798641135e44aChrome suffers from a state tracking issue in RenderFrameHostImpl that leads to a use-after-free vulnerability.
d581673d0c71222578b61244ffc597f2d89dd9ee51ee889782cd5588f7d54bf9Chrome suffers from making use of an uninitialized on-stack pointer in storage::BlobBuilderFromStream.
7508021fc3ad459f9d4a21d3d34a8201df4467cbbf9015fe49fb42a0ad822203The XNU kernel suffers from a use-after-free vulnerability in mach_msg.
2f6301f083bee339053850c19d2a821eb5bf15e94079651382aba5531646e6f1Chrome suffers from a memory corruption vulnerability in IPC::ChannelAssociatedGroupController due to interface ID reuse.
23b2104d82495d408d6c49e60967e71884e4e77854a1cebb576ccad92a937b92The EFSRPC service on Microsoft Windows Server versions 2019 and 2022 does not prevent a caller specifying a local device path allowing any authenticated user to upload arbitrary files to a server.
69dcaa165fe62179a42fd16409e133c7034c05be0577fdf672a5a01f4c88b8f8Apple ColorSync suffers from out-of-bounds read vulnerabilities due to integer overflows in curve table initialization.
55736f35713879a403e9db74f555530baf0f44d465185f687162ed25742170f4Linux suffers from a garbage collection memory corruption vulnerability by resurrecting a file reference through RCU.
638d1db3f45bcd59a8ce424b7eb6551bbe0ff49ecd4eb9c767f096560f4687deChrome suffers from a heap use-after-free vulnerability in storage::BlobURLStoreImpl::Revoke.
08933f6422b86ae33f009b22a331db75fb1ea7da60743243cb0e1fc0c82a0af2XNU suffers from a heap use-after-free vulnerability in inm_merge.
7157a72995dfa18e7979cab877bfb5645e4f20d9554478a6b0c26d6daae56123
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Subscribe to an RSS Feed