Zoom Exploit

Info about the exploit here:
https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5

Mac Chrome users can also reset Chrome to no open up Zoom automatically however its a little painful:
Directions here: https://lifehacker.com/reset-chrome-to-stop-automatically-opening-apps-1820404423

I changed {"zoommtg":false} to {"zoommtg":true} and saved. It now prompts to open Zoom again.

Yep just actioned the above, also added zoom.us.app to restrictions

It seems Zoom gets hit by the bad news bug every six months or so.

In case anyone is looking for an automated/deployable way of executing the commands recommended on the blog post. Meant to be run as root; global defaults command will fail if non-admin.

1#!/bin/bash
2
3# Disable auto-video on Zoom
4# For just your local account
5user=`stat -f "%Su" /dev/console`
6defaults write "$user"/Library/Preferences/us.zoom.config.plist ZDisableVideo 1
7# For all users on the machine
8defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1
9
10# Delete webserver
11zoompid=`lsof -ti :19421`
12kill -9 "$zoompid"
13rm -rf "$user"/.zoomus
14touch "$user"/.zoomus

is deleting the webserver critical? I thought i saw it would just reinstall itself?

added a little logic to @zbennis script so it doesn't error out if it doesn't find the PID

1#!/bin/bash
2
3# Disable auto-video on Zoom
4# For just your local account
5user=`stat -f "%Su" /dev/console`
6defaults write "$user"/Library/Preferences/us.zoom.config.plist ZDisableVideo 1
7# For all users on the machine
8defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1
9
10# Delete webserver
11zoompid=`lsof -ti :19421`
12echo "$zoompid"
13if [ -z "$zoompid" ] ; then
14    echo "zoompid not found"
15else
16    kill -9 "$zoompid"
17fi
18rm -rf ~/.zoomus
19touch ~/.zoomus
20
21exit 0

Work in progress.

1#!/bin/bash
2# For all users on the machine
3defaults write ~/Library/Preferences/us.zoom.xos.plist ZDisableVideo 1
4defaults write ~/Library/Preferences/us.zoom.ringcentral.plist ZDisableVideo 1
5
6#Kill Zoom Opener Apps
7pkill "ZoomOpener"
8pkill "RingCentralOpener"
9
10#Remove Zoom Opener webservices
11rm -rf ~/.zoomus
12rm -rf ~/.ringcentralopener
13
14#Create empty folders 
15touch ~/.zoomus
16touch ~/.ringcentralopener
17
18exit

Editing to incorporate some of the feedback, thanks all. Not sure about the "Disable Video" for Ring Central but testing.

@jhatem @zbennis @strayer

Are you seeing success with those defaults write commands? I'm testing on my machine, and that plist does not exist in either location, and if I put that plist in both locations it has no effect on the disable video pref.

Looking at files that are changed when making that pref change in Zoom, it looks like only the /Users/<user>/Library/Application Support/zoom.us/Data/zoomus.db file and /Users/<user>/Library/Preferences/us.zoom.xos.plist files are changed.

@jhatem if you don't

1touch ~/.zoomus

after you remove it then next time they open zoom up it will rebuild the same thing.

So I took the script for killing zoomopener and preventing it from being re-installed from the medium article and re-wrote it in a jamf compatible fashion.

1# To prevent the vulnerable server from running on your machine
2# (this does not impact Zoom functionality), run these two lines in your Terminal.
3
4pkill "ZoomOpener"; rm -rf /Users/$3/.zoomus; touch /Users/$3/.zoomus && chmod 000 /Users/$3/.zoomus;
5
6pkill "RingCentralOpener";  rm -rf /Users/$3/.ringcentralopener; touch /Users/$3/.ringcentralopener && chmod 000 /Users/$3/.ringcentralopener;

It is honestly just replacing ~ with /Users/$3/ but it gets the job done.

This does not prevent the folders from being modified if they do not already exist. Our company uses Zoom, so we all have this.

In regards to the automatically start video preference file, we need to discuss internally what the best course of action is as that would have a huge impact on our users.

edit: The reason why we would want to use a defaults write command to fix the don't start video automatically preference is that a plist would potentially override all of the other settings in the app, correct? Or has no one tested this method?

@stevewood Gotta be honest, I haven't tested the preference portion of the script at all. We were much more concerned about the webserver chunk at the bottom. I was mostly just trusting @zbennis on the top chunk.

@stevewood I've been seeing the same. Once I purge that zoomus.db file it seems to load the preferences correctly. Given this article from Zoom I was really hoping it would work with a config profile but no dice.

I am not seeing either of the defaults write commands work on a 10.13 machine. The checkbox does not get turned on to disable video. Haven't tried "sdamiano" solution yet.....

I've tried each script in this thread and none of them has changed the setting to "turn off video" for me in testing. Has anyone had success with this and are you willing to share your script or the screenshots of the settings around the policy? I'm relatively new to this and could easily be making a simple mistake.

Thanks!

Thanks for the feedback. I'm seeing us.zoom.xos.plist as the right file to tweak. Also,

One more we may want to touch up? ~/Library/Preferences/us.zoom.ringcentral.plist I imagine this may have the same "video on" default?

Just putting this together and it seems to set the preferences as expected.

1#!/bin/bash
2# Disable auto video and auto mic
3
4currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
5currentUserHome=$( dscl . read /Users/"$currentUser" NFSHomeDirectory | awk '{print $2}')
6prefPath="/Library/Preferences/us.zoom.config.plist"
7zoomAppSupportPath="$currentUserHome/Library/Application Support/zoom.us"
8
9#Clear Out existing App Support DB
10if [ -e "$zoomAppSupportPath" ]; then
11    rm -rf "$zoomAppSupportPath"
12fi
13
14# Apply to all users on the machine
15# Clear any existing preferences
16if [ -e "$prefPath"  ]; then
17    rm -rf "$prefPath"
18fi
19
20# Apply for all users
21defaults write "$prefPath" ZDisableVideo 1
22defaults write "$prefPath" MuteVoipWhenJoin 1
23chown root:wheel "$prefPath"
24
25# create the placeholder
26rm -rf "$currentUserHome/.zoomus"
27touch "$currentUserHome/.zoomus"
28
29
30exit 0

Been playing with this all morning....I have a script that works for me so far, note that there is no error checking or anything.
Testing:
Install zoomus on computer
test PoC attack, make sure it auto joins and it binds to the 19421 port
Run script - nothing is bound to 19421 when running lsof
Open Zoom app check lsof - nothing running on 19421 still
Run the PoC exploit and Chrome displays a broken image and nothing launches on the machine

1#!/bin/bash
2
3#variable declarations###########
4#################################
5loggedInUser=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
6");')
7zoomPID=$(sudo lsof -i :19421 | tail -n 1 | awk '{print $2}')
8#################################
9
10
11#################################
12#disable webcam for all accounts#
13#################################
14defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1
15#################################
16
17#################################
18#kill zoom server process########
19#remove zoom server directory####
20#create stub directory###########
21#################################
22sudo kill -9 $zoomPID
23rm -rf /Users/$loggedInUser/.zoomus
24pkill "ZoomOpener"; rm -rf /Users/$loggedInUser/.zoomus; touch /Users/$loggedInUser/.zoomus && chmod 000 /Users/$loggedInUser/.zoomus;
25
26pkill "RingCentralOpener";  rm -rf /Users/$loggedInUser/.ringcentralopener; touch /Users/$loggedInUser/.ringcentralopener && chmod 000 /Users/$loggedInUser/.ringcentralopener;
27##################################
28
29
30
31
32exit 0

I have set it to run once per user per computer, however 95% of my machines are single user only. Not sure how that will impact some of your environments, but globally setting the webcam preference at least helps a bit

If you want an EA to tell you if the hidden ZoomOpener.app is installed on a machine here's something I adapted from @cdietrich's post to the #Security MacAdmins Slack channel:

1#!/bin/bash
2
3zoomFound="No"
4
5for USER_HOME in /Users/*; do
6  USER_UID=$(basename "${USER_HOME}")
7  if [[ -d "${USER_HOME}/.zoomus/ZoomOpener.app" ]]; then
8    zoomFound="Yes"
9  fi
10done
11
12echo -e "<result>$zoomFound</result>"

The plist file does not work. However, I have found this on the Zoom site that does. https://support.zoom.us/hc/en-us/articles/115001799006-Mass-Deployment-with-Preconfigured-Settings-for-Mac

There is a separate IT Admin installer that can be run in the same location as the plist file which will configure the disabled setting. I have tested successfully on a number of Macs in our environment. Interestingly enough it does not copy the plist file to the Preferences location (like their guide said it should) ... BUT it does work.

I'm still trying to figure out where it actually is saving the config setting. No luck on that yet.

@andrew.nicholas I used the .plist chunk of your script with the kill pid section of my previous post and it worked successfully. I then changed the preferences back and flushed logs and it reset the preferences back for me.
this is what I ended up with

1#!/bin/bash
2
3# Disable auto-video on Zoom
4# For just your local account
5currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
6currentUserHome=$( dscl . read /Users/"$currentUser" | awk '{print $2}')
7prefPath="/Library/Preferences/us.zoom.config.plist"
8zoomAppSupportPath="$currentUserHome/Application Support/zoom.us"
9
10#Clear Out existing App Support DB
11if [ -e "$zoomAppSupportPath" ]; then
12    rm -rf "$zoomAppSupportPath"
13fi
14
15# Apply to all users on the machine
16# Clear any existing preferences
17if [ -e "$prefPath"  ]; then
18    rm -rf "$prefPath"
19fi
20
21# Apply for all users
22defaults write "$prefPath" ZDisableVideo 1
23defaults write "$prefPath" MuteVoipWhenJoin 1
24chown root:wheel "$prefPath"
25
26# Delete webserver
27zoompid=`lsof -ti :19421`
28echo "$zoompid"
29if [ -z "$zoompid" ] ; then
30    echo "zoompid not found"
31else
32    kill -9 "$zoompid"
33fi
34
35# create the placeholder
36rm -rf "$currentUserHome/.zoomus"
37touch "$currentUserHome/.zoomus"
38
39exit 0

EDIT: Fixed bottom section
EDIT: Fixed User direction.

@strayer glad to hear it but you might want to address the bottom section of the script. It's still referencing the homedir of the account running the script.

I made a custom preference profile to stop the webcam from joining automatically as well after running the terminal command from the medium post with the plist it generates.

@sharriston Does the app actually honor the config? I tried the same and it would not.

@andrew.nicholas So far it has been on all my coworkers machines. What I did was run this command

1sudo defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1

then copied that plist into the custom preferences section of a config profile. I would make sure you ran the /Library version of the command and not the ~/Library, that was an issue someone else had with it.

Yes the application is honoring the locally created preference file but is the custom configuration profile being honored on a machine that has not run the defaults write command?