The Zoom installer let a researcher hack his way to root access on macOS

Illustration by Alex Castro / The Verge

A researcher has found a way for an attacker to gain access to the entire operating system.

Patrick Wardle, a Mac security specialist, released details of the exploit in a presentation at the conference. The researcher presented one unpatched vulnerability that still affects systems even though some of the bugs have been fixed.

In order to install or remove the main application from a computer, a special user permission must be granted. Wardle discovered that the auto-update function ran in the background with super user privileges, even though the user had to enter their password first.

The new package would be installed by the updater function after it was verified that it had been signed by zoom. A bug in how the checking method was implemented meant that if the updater had a file with the same name as the signing certificate, it would be enough to pass the test.

A privilege escalation attack is when an attacker gains initial access to the system and then uses an exploit to get a higher level of access. The attacker begins with a restricted user account and progresses into the most powerful user type, known as a "super user" or "root", which allows them to add, remove, or modify any files on the machine.

The founder of the Objective- See Foundation is Wardle. Wardle spoke at Black Hat about the unauthorized use of his open-source security software by for-profit companies.

The vulnerability was disclosed in December of last year. He waited eight months before publishing the research because he was frustrated by the fact that the vulnerability was still exploitable in a slightly more roundabout way.

In a call before the talk, Wardle said that it was problematic because he had reported the bugs and made mistakes. It was really frustrating to know that all Mac versions of zoom were vulnerable.

The bugs that Wardle discovered were fixed a few weeks before the event. The bug was still exploitable because of another small mistake.

The package to be installed is moved to a directory owned by the root user. No user that doesn't have root permission can add, remove, or modify files in this directory. When a file is moved from another location to the root directory, it retains the same read-write permission it had before. It can be changed by a regular user. A malicious user can swap the contents of that file with a file of their own choosing and use it as root.

According to Wardle, the bug is easy to fix and that he hopes that the company will take care of it sooner rather than later.

At the time of publication, Zoom had not responded.