Google Discloses Details of Zoom Zero-Click Remote Code Execution Exploit

Google’s Project Zero has disclosed the details of a zero-click remote code execution exploit targeting the Zoom video conferencing software.

Project Zero’s Ivan Fratric has described an exploit chain that can be used by a malicious actor to compromise a Zoom user over the chat feature — without user interaction — by sending them a message over the XMPP protocol. Part of Fratric’s exploit chain has been dubbed “XMPP Stanza Smuggling.”

Fratric has described a total of six vulnerabilities. Two of the flaws, tracked as CVE-2022-25235 and CVE-2022-25236, actually impact the popular open source XML parser Expat.

Since the library is used in many projects, several major vendors have released advisories to inform their customers about the impact of these and other Expat vulnerabilities, including IBM, Aruba, various Linux distributions, Oracle, and F5.

The Zoom-specific vulnerabilities found by Fratric have been described by Zoom as high- and medium-severity issues related to improper XML parsing (CVE-2022-22784), update package downgrading (CVE-2022-22786), insufficient hostname validation (​​CVE-2022-22787), and improperly constrained session cookies (CVE-2022-22785).

CVE-2022-22786 affects Zoom Client for Meetings for Windows and Zoom Rooms for Conference Room for Windows. The rest affect Zoom Client for Meetings on all desktop and mobile platforms.

Zoom patched server-side issues in February and client-side vulnerabilities at a later date — Zoom says in version 5.10.0 (released in March) and Fratric says in version 5.10.4 (released in April).

Google Project Zero has made Fratric’s bug report and proof-of-concept (PoC) exploits public.

“[The XMPP Stanza Smuggling vulnerability] abuses parsing inconsistencies between XML parsers on Zoom's client and server in order to be able to ‘smuggle’ arbitrary XMPP stanzas to the victim client. From there, by sending a specially crafted control stanza, the attacker can force the victim client to connect to a malicious server, thus turning this primitive into a man-in-the-middle attack,” the researcher explained.

“Finally, by intercepting/modifying client update requests/responses, the victim client downloads and executes a malicious update, resulting in arbitrary code execution. A client downgrade attack is utilized to bypass signature check on the update installer,” he added.

This is not the first time Google Project Zero researchers have found potentially serious vulnerabilities in the Zoom video conferencing platform. However, currently there are no reports of Zoom flaws being exploited in the wild.

Related: Details Disclosed for Zoom Exploit That Earned Researchers $200,000

Related: $200,000 Awarded for Zero-Click Zoom Exploit at Pwn2Own

Related: Zoom Is 16th CVE Numbering Authority Appointed in 2021