Weakness in Zoom for macOS allows local attackers to hijack camera and microphone

The Zoom video conferencing client for macOS does not take full advantage of the application hardening features the operating system offers, which could allow local malware to elevate its privileges or access the camera and microphone without the user’s knowledge. The issues, which stem from insecure use of system APIs, were revealed Wednesday by security researcher Patrick Wardle on his blog. Wardle has a long history of macOS security research, which includes finding vulnerabilities, analyzing malware and writing security tools for Apple’s platform.

Exploiting the two flaws requires attackers to already have local code execution access on the machine, but this does not mean they’re not serious issues, since local code execution with limited user privileges can be achieved in a variety of ways. Furthermore, Wardle believes the problems could have been easily avoided by Zoom because the attack techniques have been documented by himself and other researchers in the past in blog posts and at security conferences.

“First, we illustrated how unprivileged attackers or malware may be able to exploit Zoom’s installer to gain root privileges,” Wardle said in his blog post. “Following this, due to an ‘exception’ entitlement, we showed how to inject a malicious library into Zoom’s trusted process context. This affords malware the ability to record all Zoom meetings, or simply spawn Zoom in the background to access the mic and webcam at arbitrary times!”

“The former is problematic as many enterprises (now) utilize Zoom for (likely) sensitive business meetings, while the latter is problematic as it affords malware the opportunity to surreptitious access either the mic or the webcam, with no macOS alerts and/or prompts,” the researcher said.

Other macOS application developers should take note because these vulnerabilities could impact other applications as well if they use similar configurations as Zoom.

Use of a deprecated API 

Wardle started looking at Zoom’s installer for macOS after Felix Seele, technical lead at security firm VMRay, mentioned on Twitter that Zoom is using the macOS AuthorizationExecuteWithPrivileges API to prompt users for their master password so installation tasks could be executed with root privileges — root is the highest privileged account on UNIX-like systems.

“Stop me if you’ve heard me talk (rant) about this before, but Apple clearly notes that the AuthorizationExecuteWithPrivileges API is deprecated and should not be used,” Wardle says in his blog post. “Why? Because the API does not validate the binary that will be executed (as root!) …meaning a local unprivileged attacker or piece of malware may be able to surreptitiously tamper or replace that item in order to escalate their privileges to root (as well).”

Zoom uses the API to execute a bash script called runwithroot which is unpacked by the installer in a user-writable temporary directory. This means that any local application, including malware, could monitor the Zoom installation process, rewrite this script on the fly and add malicious code to it. This would allow it to take full control of the system.

The only limitation to this attack is that malware would have to wait for the user to install or update Zoom, which would trigger the root access prompt.

An application hardening exception

Apple advises macOS application developers to compile their applications using a feature called Hardened Runtime in Xcode — the integrated development environment for macOS. This feature enables strict code signature verification not only for the main application executable, but for all its components and loaded code.

“The Hardened Runtime, along with System Integrity Protection (SIP), protects the runtime integrity of your software by preventing certain classes of exploits, like code injection, dynamically linked library (DLL) hijacking, and process memory space tampering,” Apple says in its documentation.

While this hardening does not negatively impact most apps, it does restrict some features such as just-in-time (JIT) compilation or third-party plug-ins that are not signed with the same Team ID as the main application. Because of this, Apple allows developers to configure certain exceptions called “entitlements”.

Zoom is compiled with the Hardened Runtime option but uses the com.apple.security.cs.disable-library-validation entitlement in its configuration. This effectively disables code signature verification for its dynamic libraries and enables a code injection attack that Wardle calls “dylib proxying”. It’s not clear why Zoom uses this exception since its own libraries appear to be properly signed.

Wardle demonstrated the attack with a Zoom library called libssl.1.0.0.dylib. He renamed the library by adding an underscore (_) character in front of its name, then created a rogue version that actually references the original one. In essence, he created an unsigned proxy library with the same name that Zoom executes at runtime, but which also directs the application to the original library so that the application functions properly.

The implication of this is that malicious code from the rogue library gains the same permissions as the Zoom application, including the ability to access the camera and microphone.

“To test this ‘access inheritance’ I added some code to the injected library to record a few seconds of video off the webcam,” Wardle said. “Normally this code would trigger an alert from macOS, asking the user to confirm access to the (mic) and camera. However, as we’re injected into Zoom (which was already given access by the user), no additional prompts were displayed, and the injected code was able to arbitrarily record audio and video.”

For the malicious code to access the camera, Zoom needs to be running, but this is not a problem since the macOS “open” command-line utility has an option to launch any application as hidden in the background. This means that malware piggybacking on Zoom could record video and audio at arbitrary times, without the user being aware that Zoom is running.

One of the free macOS utilities created and maintained by Wardle is called OverSight and notifies users every time an application wants to access their camera or microphone. Another one called KnockKnock can scan and identify proxy libraries on the system.

“We are actively investigating and working to address these issues,” a Zoom spokesperson tells CSO in an emailed statement. “We are in the process of updating our installer to address one issue and will be updating our client to mitigate the microphone and camera issue.”

Wardle tells CSO that any applications that use the com.apple.security.cs.disable-library-validation are vulnerable to the same library proxying attack because that entitlement allows any library — unsigned or signed by another developer — to be loaded, so developers should check their applications and avoid this exception if possible.