A pair of security researchers at the virtual Pwn2Own hacking contest Wednesday exploited a combination of three individual zero-day bugs in the Zoom client to show how attackers could gain complete remote control of any PC or notebook computer on which the video communications software is installed.
The exploit came barely a day after another researcher at Pwn2Own demonstrated code execution on Microsoft Teams, which, like Zoom, has seen a surge in use since the global COVID-19 pandemic forced an increase in remote work at many organizations. The two exploits — and several others against Microsoft Exchange Server, Windows 10, and other technologies — have served as a further reminder of just how vulnerable some core enterprise software and communication products are to modern attacks.
"One of the biggest trends we see is that the participants continue to evolve and adapt to the targets," says Brian Gorenc, senior director of vulnerability research and head of ZDI at Trend Micro, which organizes the event each year. "Even as vendors make exploitation more difficult, contestants find a path to win."
The Zoom exploit garnered security researchers Daan Keuper and Thijs Alkemade of Dutch firm Computest Security an award of $200,000 and 20 so-called Master of Pwn points. Their exploit involved chaining together three bugs in the Zoom messenger client to gain code execution on a target system, without the user have to click or do anything. A Computest statement describes the exploit as giving the two researchers control to execute actions on the device running the Zoom client, such as turning on the camera and microphone, reading emails and screen content, and downloading browser history. All of the actions could be taken without the user having to do anything or even noticing the activity.
Unlike previously disclosed vulnerabilities in the Zoom app that mostly allowed for attackers to snoop on video calls, the newly discovered ones are more serious because they give threat actors a way to take over the entire system, Computest said.
A Zoom spokesman Friday acknowledged the issue in the Zoom Chat group messaging product and said the company is currently working on its mitigation. In a statement, the spokesman said the attack demonstrated by the Computest researchers would need to originate from an accepted external contact or be part of the target's same organizational account.
"As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust," the statement noted. "If you think you’ve found a security issue with Zoom products, please send a detailed report to our Vulnerability Disclosure Program in our Trust Center."
The Zoom exploit was one of several high-profile exploits at a Pwn2Own event where some $1.5 million is up for grabs to security researchers who can find and demonstrate exploitable vulnerabilities in a selected list of products across seven categories. Target products included Microsoft Exchange Server and SharePoint under the server category; Teams and Zoom in the enterprise communications section; Microsoft Edge, Google Chrome, and Apple Safari in the browser category; and Adobe Reader and Microsoft Office 365 ProPlus under the enterprise applications category. In a sign of the times, Tesla's Model 3 car was also one of the targets available to researchers.
The annual Pwn2Own contest was launched in 2007 and is part of the CanSecWest security conference. Over the years, the event has become a venue for some of the top white-hat hackers in the world to congregate and take a crack at widely used and popular technologies. The event has become a security proving ground of sorts for technology vendors and has been useful in helping them identify and close vulnerabilities they might have missed themselves. The organizers of Pwn2Own give vendors 90 days to fix vulnerabilities that are disclosed to them at the event.
"The contest has certainly grown and expanded over the last few years," Gorenc says. "We've added categories for automobiles and enterprise communications while maintaining traditional targets like Web browsers and operating systems."
In the first two days of the three-day contest, security researchers from around the world punched holes in multiple widely used technologies and raked in tens of thousands of dollars in the process.
Jack Dates of RET2 Systems won $100,000 for exploiting an integer overflow error in Apply Safari and an out-of-bounds write issue to get kernel-level code execution. He picked up another $40,000 for combining three vulnerabilities in the Parallels Desktop virtualization software for Apple Macs to execute code on the underlying OS.
Dates' Parallels Desktop exploit was one of two that involved the virtualization technology at this year's Pwn2Own. On Thursday, security researcher Benjamin McBride of L3Harris Trenchant used a memory corruption bug in Parallels Desktop to escape the virtualization layer and execute code on the underlying OS. Like Dates, McBride earned $40,000 for his effort.
Researchers at DEVCORE Security Consulting, meanwhile, picked up $200,000 for showing how attackers could completely take over a Microsoft Exchange server by combining an authentication bypass vulnerability with a local privilege escalation issue in the technology. The discovery is sure to add to the already high concerns around Exchange server prompted by the recent disclosure of four critical zero-day bugs in the technology.
Independent security researcher OV demonstrated code execution on Microsoft Teams by combining a pair of bugs and was paid $200,000 for the effort. A team from Viettel Cyber Security earned $40,000 for showing how attackers could take advantage of an integer overflow bug in Windows 10 to escalate privileges from a regular user to a user with system-level privileges.
Bruno Keith and Niklas Baumstark from Dataflow Security exploited Google Chrome renderer and Microsoft Edge using the same exploit against both browser technologies and netted $100,000 as a reward for their work.
"The biggest takeaway so far is just the breadth of talent that comes to the competition," Gorenc says. "It's great to see the current art of exploitation in action against a variety of targets."
The exploits targeting Microsoft Exchange Teams and Zoom have been the most significant so far, he says.
"We've already seen the impact Exchange bugs have on enterprises this year, so finding and fixing these bugs before they are used by attackers is huge," Gorenc notes.
Similarly, Microsoft Teams and Zoom are nearly ubiquitous. But there hasn't been a lot of research done on their security.
"Getting researchers to focus their interest here provides the vendors a great resource in resolving these vulnerabilities before they can be used by adversaries," Gorenc says.