Hacking the pandemic's most popular software: Zoom

Presented at May Contain Hackers (MCH2022), July 24, 2022, 5 p.m. (50 minutes)

Last year we won Pwn2Own by demonstrating remote code execution, using a chain of three vulnerabilities, on the then latest version of the Zoom client. In this talk we would like to share all details of the vulnerabilities we found and how we combined them into a fully working exploit.

When the pandemic required everyone to work from home, we saw a huge growth on the video conferencing market. It was this movement that made the organisation behind the world famous Pwn2Own competition decide to add an 'Enterprise Communications' category to last year’s competition. Everyone who was able to successfully demonstrate a zero-day attack against Zoom or Microsoft Teams would be rewarded $200,000. We decided to take them up on this challenge and started researching Zoom. This resulted in a working remote exploit against the at the time latest version of Zoom that would give the attacker full control over the victim’s system (CVE-2021-34407).

During this talk, we will walk you through how we started our research, explain the vulnerabilities that were found and finally how those vulnerabilities were incorporated into the exploit that successfully performed the attack during the contest.

Presenters:

• Daan Keuper
  Daan Keuper is the head of security research at Computest. This division is responsible for advanced security research on commonly used systems and environments. Daan participated three times in the internationally known Pwn2Own competition by demonstrating zero-day attacks against the iPhone, Zoom and multiple ICS applications. In addition Daan did research on internet connected cars, in which several vulnerabilities were found in cars from the Volkswagen Group.
• Thijs Alkemade
  Thijs Alkemade ([@xnyhps](https://twitter.com/xnyhps)) works at the security research division of at Computest. This division is responsible for advanced security research on commonly used systems and environments. Thijs has won Pwn2Own twice, by demonstrating a zero-day attack against Zoom at Pwn2Own Vancouver 2021 and by demonstrating multiple exploits in ICS systems at Pwn2Own Miami 2022. In previous research he demonstrated several attacks against the macOS and iOS operating systems. He has a background in both mathematics and computer science, which gives him a lot of experience with cryptography and programming language theory.

Links:

• https://program.mch2022.org/mch2021-2020/talk/QVXXUP/

Similar Presentations:

• DEF CON 30 (2022) / You’re <strike>Muted</strike>Rooted
• May Contain Hackers (MCH2022) / ICS stands for Insecure Control Systems
• REcon 2022 / Zooming in on Zero-click Exploits