Home > Mac administration, macOS, Scripting > Zoom vulnerability and remediation script

Zoom vulnerability and remediation script

July 10, 2019 Leave a comment Go to comments

Zoom is a popular video conferencing suite which is used by a number of shops because it provides a consistent cross-platform experience. Recently, it was discovered that Zoom was setting up a local webserver process. This capability enabled Zoom’s client to be launched in response to clicking a URL, but it also potentially allowed someone to be forcibly connected to a Zoom call with their video camera active. This issue has been assigned the following CVE identifier:

CVE-2019-13450: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13450

Update: 7-11-2019 – Apple has released an update to remove the Zoom web server from all Macs. This update deploys silently and does not require user interaction. For more details, please see Zoom’s July 10th blog post: https://blog.zoom.us/wordpress/2019/07/10/security-update-and-our-ongoing-efforts/

Once this vulnerability was widely publicized, Zoom responded with an updated version of their Zoom client for macOS which removes the local webserver and also allows users to manually uninstall the Zoom client. They also provided the following manual remediation instructions:


pkill "ZoomOpener"; rm -rf ~/.zoomus; touch ~/.zoomus && chmod 000 ~/.zoomus;
pkill "RingCentralOpener"; rm -rf ~/.ringcentralopener; touch ~/.ringcentralopener && chmod 000 ~/.ringcentralopener;

view raw

gistfile1.txt

hosted with ❤ by GitHub

I’ve taken those commands and used them to build a script to address the vulnerabilities described in CVE-2019-13450. For more details, please see below the jump.

The script is available below and on my GitHub repo:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/fix_zoom_vulnerability

This script is also available as a payload-free package on my GitHub repo, available for download from the payload_free_package directory available from the link above.


#!/bin/bash
# The script is designed to address the Zoom vulnerabilities described in CVE-2019–13450:
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13450
#
# In the Zoom Client through 4.4.4, RingCentral 7.0.136380.0312 and Zhumu 4.2.137102.0612 on macOS,
# remote attackers can force a user to join a video call with the video camera active.
# This occurs because any web site can interact with the Zoom web server on localhost port 19421 or 19424.
#
# NOTE: a machine remains vulnerable if the Zoom Client was installed in the past and then uninstalled.
# Blocking exploitation requires additional steps, such as the ZDisableVideo preference and/or killing the web server,
# deleting the ~/.zoomus directory, and creating a ~/.zoomus plain file.
#
# The script performs the following actions:
#
# Stops the ZoomOpener, RingCentralOpener and ZhumuOpener processes for the logged-in user.
#
# Sets /Library/Preferences/us.zoom.config.plist to disable Zoom video auto-connection
#
# Checks the existing user folders in /Users for the presence of the Library/Preferences directory.
# Once the Library/Preferences directory is located, script sets the individual users'
# ~/Library/Preferences/us.zoom.config.plist to disable Zoom video auto-connection.
#
# Next, the script checks for the presence of the .zoomus, .ringcentralopener
# the .zhumuopener directories in users' home folders.
# If these directories are detected, the following actions take place:
#
# If present, the .zoomus directory is deleted.
# A file named .zoomus is created.
# The .zoomus file is set to be unreadable and unwritable.
# The .zoomus file is set to be owned by the owner of the home folder.
#
# If present, the .ringcentralopener directory is deleted.
# A file named .ringcentralopener is created.
# The .ringcentralopener file is set to be unreadable and unwritable.
# The .ringcentralopener file is set to be owned by the owner of the home folder.
#
# If present, the .zhumuopener directory is deleted.
# A file named .zhumuopener is created.
# The .zhumuopener file is set to be unreadable and unwritable.
# The .zhumuopener file is set to be owned by the owner of the home folder.
# Checks to see if any user accounts are currently logged into the console (AKA logged into the GUI via the OS loginwindow)
users_logged_in_at_loginwindow=$(who | grep console)
# If a user is logged in, stop the existing ZoomOpener, RingCentralOpener, and
# ZhumuOpener processes for the logged-in user.
if [[ -n "$users_logged_in_at_loginwindow" ]]; then
# Identify the logged-in user
logged_in_user=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }')
# Identify the UID of the logged-in user
logged_in_user_uid=$(id -u "$logged_in_user")
/bin/launchctl asuser "$logged_in_user_uid" /usr/bin/pkill "ZoomOpener"
/bin/launchctl asuser "$logged_in_user_uid" /usr/bin/pkill "RingCentralOpener"
/bin/launchctl asuser "$logged_in_user_uid" /usr/bin/pkill "ZhumuOpener"
else
echo "No user accounts are logged in at the login window."
fi
# Applies setting to /Library/Preferences/us.zoom.config.plist to
# prevent Zoom from auto-connecting to video request.
/usr/bin/defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1
# This function applies the deletion, creation and ownership changes for the
# .zoomus, .ringcentralopener and .zhumuopener directories.
StopZoomWebServer () {
if [[ -d "${USER_HOME}"/"$stop_zoom_local_webserver" ]]; then
/bin/rm -rf "${USER_HOME}"/"$stop_zoom_local_webserver"
/usr/bin/touch "${USER_HOME}"/"$stop_zoom_local_webserver"
/bin/chmod 000 "${USER_HOME}"/"$stop_zoom_local_webserver"
/usr/sbin/chown "${USER_UID}" "${USER_HOME}"/"$stop_zoom_local_webserver"
fi
}
for USER_HOME in "/Users"/*
do
USER_UID=`basename "${USER_HOME}"`
if [ ! "${USER_UID}" = "Shared" ]; then
if [[ -d "${USER_HOME}"/Library/Preferences ]]; then
/usr/bin/defaults write "${USER_HOME}"/Library/Preferences/us.zoom.config.plist ZDisableVideo 1
/usr/sbin/chown "${USER_UID}" "${USER_HOME}"/Library/Preferences/us.zoom.config.plist
fi
stop_zoom_local_webserver=".zoomus"
StopZoomWebServer
stop_zoom_local_webserver=".ringcentralopener"
StopZoomWebServer
stop_zoom_local_webserver=".zhumuopener"
StopZoomWebServer
fi
done

view raw

fix_zoom_vulnerability.sh

hosted with ❤ by GitHub

Categories: Mac administration, macOS, Scripting
  1. Brian
    July 10, 2019 at 4:29 pm
    Reply

    Amazing Rich. I was just dealing with this today. Thank you for all you do.

  2. Danielle
    July 11, 2019 at 12:06 pm
    Reply

    I’ve noticed running the update will also remove the issues. Does anyone have a script to force an update of Zoom?

  3. Marcel
    July 11, 2019 at 1:48 pm
    Reply

    Hi Rich,

    thank you as always for your great work.

    This might be a bug or a feature, but if we start the zoom.us.app from a Zoom-Meeting link via Outlook, the sessions starts without video (which is the behaviour we want, thx to your script) – but it’s not possible, to activate the video anymore …

    Do you see this in your environment too?

  4. Bucky
    August 14, 2019 at 11:56 am
    Reply

    We’re seeing the same issue as Marcel: sessions start without video as desired, but users cannot activate the video voluntarily.

    • Marcel
      August 14, 2019 at 12:24 pm
      Reply

      As a workaround we adviced all users not to click the direct link inside Outlook but to copy and paste the link into the zoom.app – this way it seems to be possible to activate the video later …

  1. No trackbacks yet.

Leave a comment