Zooming in on Zero-click Exploits
Two vulnerabilities in Zoom, a buffer overflow that affected Multi-Media Routers (MMR) servers and client, and an infoleak that only affected MMR servers. Both issues were found in various load_from()
methods for serialization classes used in Real-time Transport Protocol (RTP) for audio/video content.
Buffer Overflow
Various load_from()
methods would allocate a buffer for a string based on the str_len
read from the packet, but would then use read_str_with_len()
which would read a string into that buffer, ignoring the original allocation size. This allowed an attacker to pass a malformed packet which would provide a size smaller than the string size, allowing an overflow with controlled size.
Uninitialized Read / Infoleak
The MMR server’s load_from()
would deserialize an object that contained an optional field of a properties table, which mapped name strings to variant objects. Some of these objects were byte arrays that were then converted to strings, however some areas never checked if those strings were null-terminated. One such area was the user_name
property. By passing a user_name
without a null terminator, uninitialized data could be leaked through the username in the browser.