Zoom Exploit

mlr
New Contributor II

For those of you who wake up to Zoom Exploit news.

You can set ZoomOpener.app as a Restricted Software.

Kill Process
Restrict to exact process name
Kill Process.

I would not recommend turning on Send Email or Message to the user.8901e851a56e4bb5a97b1b5e685d1957

103 REPLIES 103

mlr
New Contributor II

Info about the exploit here:
https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5

Mac Chrome users can also reset Chrome to no open up Zoom automatically however its a little painful:
Directions here: https://lifehacker.com/reset-chrome-to-stop-automatically-opening-apps-1820404423

I changed {"zoommtg":false} to {"zoommtg":true} and saved. It now prompts to open Zoom again.

Charliejames91
New Contributor II

Yep just actioned the above, also added zoom.us.app to restrictions

landon_Starr
Contributor

It seems Zoom gets hit by the bad news bug every six months or so.

zbennis
New Contributor

In case anyone is looking for an automated/deployable way of executing the commands recommended on the blog post. Meant to be run as root; global defaults command will fail if non-admin.

#!/bin/bash

# Disable auto-video on Zoom
# For just your local account
user=`stat -f "%Su" /dev/console`
defaults write "$user"/Library/Preferences/us.zoom.config.plist ZDisableVideo 1
# For all users on the machine
defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1

# Delete webserver
zoompid=`lsof -ti :19421`
kill -9 "$zoompid"
rm -rf "$user"/.zoomus
touch "$user"/.zoomus

jwojda
Valued Contributor II

is deleting the webserver critical? I thought i saw it would just reinstall itself?

AdamCraig
Contributor III

added a little logic to @zbennis script so it doesn't error out if it doesn't find the PID

#!/bin/bash

# Disable auto-video on Zoom
# For just your local account
user=`stat -f "%Su" /dev/console`
defaults write "$user"/Library/Preferences/us.zoom.config.plist ZDisableVideo 1
# For all users on the machine
defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1

# Delete webserver
zoompid=`lsof -ti :19421`
echo "$zoompid"
if [ -z "$zoompid" ] ; then
    echo "zoompid not found"
else
    kill -9 "$zoompid"
fi
rm -rf ~/.zoomus
touch ~/.zoomus

exit 0

jhatem
New Contributor II

Work in progress.

#!/bin/bash
# For all users on the machine
defaults write ~/Library/Preferences/us.zoom.xos.plist ZDisableVideo 1
defaults write ~/Library/Preferences/us.zoom.ringcentral.plist ZDisableVideo 1

#Kill Zoom Opener Apps
pkill "ZoomOpener"
pkill "RingCentralOpener"

#Remove Zoom Opener webservices
rm -rf ~/.zoomus
rm -rf ~/.ringcentralopener

#Create empty folders 
touch ~/.zoomus
touch ~/.ringcentralopener

exit

Editing to incorporate some of the feedback, thanks all. Not sure about the "Disable Video" for Ring Central but testing.

stevewood
Honored Contributor II
Honored Contributor II

@jhatem @zbennis @strayer

Are you seeing success with those defaults write commands? I'm testing on my machine, and that plist does not exist in either location, and if I put that plist in both locations it has no effect on the disable video pref.

Looking at files that are changed when making that pref change in Zoom, it looks like only the /Users/<user>/Library/Application Support/zoom.us/Data/zoomus.db file and /Users/<user>/Library/Preferences/us.zoom.xos.plist files are changed.

AdamCraig
Contributor III

@jhatem if you don't

touch ~/.zoomus

after you remove it then next time they open zoom up it will rebuild the same thing.

sdamiano
Contributor II

So I took the script for killing zoomopener and preventing it from being re-installed from the medium article and re-wrote it in a jamf compatible fashion.

# To prevent the vulnerable server from running on your machine
# (this does not impact Zoom functionality), run these two lines in your Terminal.

pkill "ZoomOpener"; rm -rf /Users/$3/.zoomus; touch /Users/$3/.zoomus && chmod 000 /Users/$3/.zoomus;

pkill "RingCentralOpener";  rm -rf /Users/$3/.ringcentralopener; touch /Users/$3/.ringcentralopener && chmod 000 /Users/$3/.ringcentralopener;

It is honestly just replacing ~ with /Users/$3/ but it gets the job done.

This does not prevent the folders from being modified if they do not already exist. Our company uses Zoom, so we all have this.

In regards to the automatically start video preference file, we need to discuss internally what the best course of action is as that would have a huge impact on our users.

edit: The reason why we would want to use a defaults write command to fix the don't start video automatically preference is that a plist would potentially override all of the other settings in the app, correct? Or has no one tested this method?

AdamCraig
Contributor III

@stevewood Gotta be honest, I haven't tested the preference portion of the script at all. We were much more concerned about the webserver chunk at the bottom. I was mostly just trusting @zbennis on the top chunk.

andrew_nicholas
Valued Contributor

@stevewood I've been seeing the same. Once I purge that zoomus.db file it seems to load the preferences correctly. Given this article from Zoom I was really hoping it would work with a config profile but no dice.

rmiguens
New Contributor

I am not seeing either of the defaults write commands work on a 10.13 machine. The checkbox does not get turned on to disable video. Haven't tried "sdamiano" solution yet.....

ryanlower
New Contributor II

I've tried each script in this thread and none of them has changed the setting to "turn off video" for me in testing. Has anyone had success with this and are you willing to share your script or the screenshots of the settings around the policy? I'm relatively new to this and could easily be making a simple mistake.

Thanks!

jhatem
New Contributor II

Thanks for the feedback. I'm seeing us.zoom.xos.plist as the right file to tweak. Also,

One more we may want to touch up? ~/Library/Preferences/us.zoom.ringcentral.plist I imagine this may have the same "video on" default?

andrew_nicholas
Valued Contributor

Just putting this together and it seems to set the preferences as expected.

#!/bin/bash
# Disable auto video and auto mic

currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
currentUserHome=$( dscl . read /Users/"$currentUser" NFSHomeDirectory | awk '{print $2}')
prefPath="/Library/Preferences/us.zoom.config.plist"
zoomAppSupportPath="$currentUserHome/Library/Application Support/zoom.us"

#Clear Out existing App Support DB
if [ -e "$zoomAppSupportPath" ]; then
    rm -rf "$zoomAppSupportPath"
fi

# Apply to all users on the machine
# Clear any existing preferences
if [ -e "$prefPath"  ]; then
    rm -rf "$prefPath"
fi

# Apply for all users
defaults write "$prefPath" ZDisableVideo 1
defaults write "$prefPath" MuteVoipWhenJoin 1
chown root:wheel "$prefPath"

# create the placeholder
rm -rf "$currentUserHome/.zoomus"
touch "$currentUserHome/.zoomus"


exit 0

hdsreid
Contributor III

Been playing with this all morning....I have a script that works for me so far, note that there is no error checking or anything.
Testing:
Install zoomus on computer
test PoC attack, make sure it auto joins and it binds to the 19421 port
Run script - nothing is bound to 19421 when running lsof
Open Zoom app check lsof - nothing running on 19421 still
Run the PoC exploit and Chrome displays a broken image and nothing launches on the machine

#!/bin/bash

#variable declarations###########
#################################
loggedInUser=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')
zoomPID=$(sudo lsof -i :19421 | tail -n 1 | awk '{print $2}')
#################################


#################################
#disable webcam for all accounts#
#################################
defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1
#################################

#################################
#kill zoom server process########
#remove zoom server directory####
#create stub directory###########
#################################
sudo kill -9 $zoomPID
rm -rf /Users/$loggedInUser/.zoomus
pkill "ZoomOpener"; rm -rf /Users/$loggedInUser/.zoomus; touch /Users/$loggedInUser/.zoomus && chmod 000 /Users/$loggedInUser/.zoomus;

pkill "RingCentralOpener";  rm -rf /Users/$loggedInUser/.ringcentralopener; touch /Users/$loggedInUser/.ringcentralopener && chmod 000 /Users/$loggedInUser/.ringcentralopener;
##################################




exit 0

I have set it to run once per user per computer, however 95% of my machines are single user only. Not sure how that will impact some of your environments, but globally setting the webcam preference at least helps a bit

sdagley
Esteemed Contributor II

If you want an EA to tell you if the hidden ZoomOpener.app is installed on a machine here's something I adapted from @cdietrich's post to the #Security MacAdmins Slack channel:

#!/bin/bash

zoomFound="No"

for USER_HOME in /Users/*; do
  USER_UID=$(basename "${USER_HOME}")
  if [[ -d "${USER_HOME}/.zoomus/ZoomOpener.app" ]]; then
    zoomFound="Yes"
  fi
done

echo -e "<result>$zoomFound</result>"

delestor
New Contributor II

The plist file does not work. However, I have found this on the Zoom site that does. https://support.zoom.us/hc/en-us/articles/115001799006-Mass-Deployment-with-Preconfigured-Settings-for-Mac

There is a separate IT Admin installer that can be run in the same location as the plist file which will configure the disabled setting. I have tested successfully on a number of Macs in our environment. Interestingly enough it does not copy the plist file to the Preferences location (like their guide said it should) ... BUT it does work.

I'm still trying to figure out where it actually is saving the config setting. No luck on that yet.

AdamCraig
Contributor III

@andrew.nicholas I used the .plist chunk of your script with the kill pid section of my previous post and it worked successfully. I then changed the preferences back and flushed logs and it reset the preferences back for me.
this is what I ended up with

#!/bin/bash

# Disable auto-video on Zoom
# For just your local account
currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
currentUserHome=$( dscl . read /Users/"$currentUser" | awk '{print $2}')
prefPath="/Library/Preferences/us.zoom.config.plist"
zoomAppSupportPath="$currentUserHome/Application Support/zoom.us"

#Clear Out existing App Support DB
if [ -e "$zoomAppSupportPath" ]; then
    rm -rf "$zoomAppSupportPath"
fi

# Apply to all users on the machine
# Clear any existing preferences
if [ -e "$prefPath"  ]; then
    rm -rf "$prefPath"
fi

# Apply for all users
defaults write "$prefPath" ZDisableVideo 1
defaults write "$prefPath" MuteVoipWhenJoin 1
chown root:wheel "$prefPath"

# Delete webserver
zoompid=`lsof -ti :19421`
echo "$zoompid"
if [ -z "$zoompid" ] ; then
    echo "zoompid not found"
else
    kill -9 "$zoompid"
fi

# create the placeholder
rm -rf "$currentUserHome/.zoomus"
touch "$currentUserHome/.zoomus"

exit 0

EDIT: Fixed bottom section
EDIT: Fixed User direction.

andrew_nicholas
Valued Contributor

@strayer glad to hear it but you might want to address the bottom section of the script. It's still referencing the homedir of the account running the script.

sharriston
Contributor III

1d6e72815a8043ffbbd1b65148faf615
I made a custom preference profile to stop the webcam from joining automatically as well after running the terminal command from the medium post with the plist it generates.

andrew_nicholas
Valued Contributor

@sharriston Does the app actually honor the config? I tried the same and it would not.

sharriston
Contributor III

@andrew.nicholas So far it has been on all my coworkers machines. What I did was run this command

sudo defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1

then copied that plist into the custom preferences section of a config profile. I would make sure you ran the /Library version of the command and not the ~/Library, that was an issue someone else had with it.

andrew_nicholas
Valued Contributor

Yes the application is honoring the locally created preference file but is the custom configuration profile being honored on a machine that has not run the defaults write command?

sharriston
Contributor III

@andrew.nicholas I am seeing that on some older test machines as well.

jtrant
Valued Contributor

Has anyone found that setting ZDisableVideo in /Library/Preferences/us.zoom.config.plist disables video completely?
I'm seeing weird behavior in that the user can't click "Start Video" after joining a meeting.

ryanlower
New Contributor II

I had that experience @jtrant. Was resolved by a reinstall of the zoom app, but I'm unclear on why it happened or if I can expect it to happen when I roll out the fix to the larger group of users.

ageevarughese
New Contributor II

I've tried everything in this post, but nothing seems to work. Any other suggestions?

andrew_nicholas
Valued Contributor

@jtrant Looks that way. This whole thing has gotten to be a bit of a cluster to be honest as it seems no one has a truly great idea of the application management capabilities and the application itself seems to be a pandoras box of fun. According to a post in the similar thread on /r/sysadmin they will be releasing a patch by midnight tonight.

shaquir
Contributor III

Added this to my script to remove Zoom in the User's Application folder (~/Applications/)

#!/bin/sh
#Removes user downloaded Zoom
if [ -e /Users/*/Applications/zoom.us.app ]; then
rm -rf /Users/*/Applications/zoom.us.app
fi

#Remove .zoomus for all users

if [ -e /Users/*/.zoomus ]; then
rm -rf /Users/*/.zoomus
fi

jtrant
Valued Contributor

At least it's not just me.

sharriston
Contributor III

So through testing and a ton of help from the macadmins slack group the issue seems to be that if you have installed the public desktop version of zoom and run

defaults write /Library/Preferences/us.zoom.config.plist 1

The public version of zoom does not repect that plist, only the ITAdmin download of zoom will respect that plist. Now how do we figure out which version a user has.

bmee
Contributor

I'm in the same boat as @ageevarughese . Tried everything, and the video function is still enable. Upload the customer plist and same result.

Cloud it be disable via Zoom admin console?

jalbert
Contributor

Sorry if I missed this being mentioned already, but what about removing the right to the camera from Security and Privacy in System Preferences to not allow Zoom access to the camera?

delestor
New Contributor II

In addition to my last post - I've been able to use the composer application to create a new pkg file which you can then push out via Jamf. Confirmed working and not having the video issues mentioned above.

stevewood
Honored Contributor II
Honored Contributor II

@andrew.nicholas your bit to figure out the home dir is slightly off. Your missing /Users/ before the user name. You have:

currentUserHome=$( dscl . read "$currentUser" NFSHomeDirectory | awk '{print $2}')

Should be: currentUserHome=$( dscl . read /Users/"$currentUser" NFSHomeDirectory | awk '{print $2}')

Otherwise the variable is blank.

The road we are taking is to package up the Zoom IT Installer, along with the plist, drop into /tmp and then install that. We are scoping any machine with Zoom installed regardless of version. Kind of heavy handed, but it gets it done. And the postinstall script that does the installation also deletes the web server folder and creates a new folder that is locked:

#!/bin/bash
currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
currentUserHome=$( dscl . read /Users/"$currentUser" NFSHomeDirectory | awk '{print $2}')

/usr/sbin/installer -pkg /tmp/ZoomInstallerIT.pkg -target /

# Delete webserver
zoompid=`lsof -ti :19421`
echo "$zoompid"
if [ -z "$zoompid" ] ; then
    echo "zoompid not found"
else
    kill -9 "$zoompid"
fi
rm -rf "$currentUserHome/.zoomus"
touch "$currentUserHome/.zoomus"
chmod 000 "$currentUserHome/.zoomus"

exit 0

We are also deploying a login script that will use Outset to run at every login to check for the web server, delete if present, and lock it. Basically using the last few lines of that postinstall script.

On top of that, we are pushing out the latest Outlook plug-in for users that have that installed.

A big thank you to all of you that did the leg work for me today. ;-)

jtrant
Valued Contributor

Update from Zoom just now is that a client with a fix for the web server is being released tonight, followed by another release July 12th with a fix for the default video settings.

ageevarughese
New Contributor II

@jalbert That will totally disable the camera and prevent users from using it when they need to use it.