Cybersecurity researchers have found two critical vulnerabilities in Zoom that could let hackers hack into the systems of group chat participants or an individual recipient remotely.
Both the vulnerabilities discovered are of path transversal vulnerability and can be exploited to inject arbitrary files on the systems that are running vulnerable versions of the Zoom app to execute the malicious code in the victim’s device.
The researchers said that for successful exploitation of both the vulnerabilities, it requires very less or no interaction from chat feature in individual or a group chat. The vulnerability can be exploited by sending specially crafted messages in the chat feature.
The vulnerability can be tracked as CVE-2020-6109, the vulnerability resides in the Zoom leverages GIPHY service, which lets its users search and exchange GIFs during chatting.
Also, Zoom app doesn’t verify whether the GIFs is sent through GIPHY service or from third party source that could allow an attacker to send malicious GIFs.
Besides this, since Zoom doesn’t sanitize the filenames it could also allow an attacker to achieve directory traversal and could also save malicious files embedded in GIFs on the specified location. Ex: Windows Startup folder.
A specially crafted chat message can cause an arbitrary binary planting which could be abused to achieve arbitrary code execution. An attacker needs to send a specially crafted message to a target user or a group to trigger this vulnerability. For the most severe effect, target user interaction is required
The researcher said
Another vulnerability can be tracked as CVE-2020-6110 and was a remote code execution type vulnerability that could let attackers execute remote code, and the vulnerability resides in the Zoom application process code snippets shared through the chat.