Posted on 07-08-2019 10:59 PM
For those of you who wake up to Zoom Exploit news.
You can set ZoomOpener.app as a Restricted Software.
Kill Process
Restrict to exact process name
Kill Process.
I would not recommend turning on Send Email or Message to the user.
Posted on 07-08-2019 11:02 PM
Info about the exploit here:
https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5
Mac Chrome users can also reset Chrome to no open up Zoom automatically however its a little painful:
Directions here: https://lifehacker.com/reset-chrome-to-stop-automatically-opening-apps-1820404423
I changed {"zoommtg":false} to {"zoommtg":true} and saved. It now prompts to open Zoom again.
Posted on 07-09-2019 05:51 AM
Yep just actioned the above, also added zoom.us.app to restrictions
Posted on 07-09-2019 06:23 AM
It seems Zoom gets hit by the bad news bug every six months or so.
Posted on 07-09-2019 06:37 AM
In case anyone is looking for an automated/deployable way of executing the commands recommended on the blog post. Meant to be run as root; global defaults command will fail if non-admin.
#!/bin/bash
# Disable auto-video on Zoom
# For just your local account
user=`stat -f "%Su" /dev/console`
defaults write "$user"/Library/Preferences/us.zoom.config.plist ZDisableVideo 1
# For all users on the machine
defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1
# Delete webserver
zoompid=`lsof -ti :19421`
kill -9 "$zoompid"
rm -rf "$user"/.zoomus
touch "$user"/.zoomus
Posted on 07-09-2019 07:03 AM
is deleting the webserver critical? I thought i saw it would just reinstall itself?
Posted on 07-09-2019 07:20 AM
added a little logic to @zbennis script so it doesn't error out if it doesn't find the PID
#!/bin/bash
# Disable auto-video on Zoom
# For just your local account
user=`stat -f "%Su" /dev/console`
defaults write "$user"/Library/Preferences/us.zoom.config.plist ZDisableVideo 1
# For all users on the machine
defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1
# Delete webserver
zoompid=`lsof -ti :19421`
echo "$zoompid"
if [ -z "$zoompid" ] ; then
echo "zoompid not found"
else
kill -9 "$zoompid"
fi
rm -rf ~/.zoomus
touch ~/.zoomus
exit 0
Posted on 07-09-2019 07:25 AM
Work in progress.
#!/bin/bash
# For all users on the machine
defaults write ~/Library/Preferences/us.zoom.xos.plist ZDisableVideo 1
defaults write ~/Library/Preferences/us.zoom.ringcentral.plist ZDisableVideo 1
#Kill Zoom Opener Apps
pkill "ZoomOpener"
pkill "RingCentralOpener"
#Remove Zoom Opener webservices
rm -rf ~/.zoomus
rm -rf ~/.ringcentralopener
#Create empty folders
touch ~/.zoomus
touch ~/.ringcentralopener
exit
Editing to incorporate some of the feedback, thanks all. Not sure about the "Disable Video" for Ring Central but testing.
Posted on 07-09-2019 07:32 AM
Are you seeing success with those defaults write
commands? I'm testing on my machine, and that plist does not exist in either location, and if I put that plist in both locations it has no effect on the disable video pref.
Looking at files that are changed when making that pref change in Zoom, it looks like only the /Users/<user>/Library/Application Support/zoom.us/Data/zoomus.db
file and /Users/<user>/Library/Preferences/us.zoom.xos.plist
files are changed.
Posted on 07-09-2019 07:32 AM
@jhatem if you don't
touch ~/.zoomus
after you remove it then next time they open zoom up it will rebuild the same thing.
Posted on 07-09-2019 07:45 AM
So I took the script for killing zoomopener and preventing it from being re-installed from the medium article and re-wrote it in a jamf compatible fashion.
# To prevent the vulnerable server from running on your machine
# (this does not impact Zoom functionality), run these two lines in your Terminal.
pkill "ZoomOpener"; rm -rf /Users/$3/.zoomus; touch /Users/$3/.zoomus && chmod 000 /Users/$3/.zoomus;
pkill "RingCentralOpener"; rm -rf /Users/$3/.ringcentralopener; touch /Users/$3/.ringcentralopener && chmod 000 /Users/$3/.ringcentralopener;
It is honestly just replacing
~
with /Users/$3/
but it gets the job done.
This does not prevent the folders from being modified if they do not already exist. Our company uses Zoom, so we all have this.
In regards to the automatically start video preference file, we need to discuss internally what the best course of action is as that would have a huge impact on our users.
edit: The reason why we would want to use a defaults write
command to fix the don't start video automatically preference is that a plist would potentially override all of the other settings in the app, correct? Or has no one tested this method?
Posted on 07-09-2019 07:49 AM
@stevewood Gotta be honest, I haven't tested the preference portion of the script at all. We were much more concerned about the webserver chunk at the bottom. I was mostly just trusting @zbennis on the top chunk.
Posted on 07-09-2019 07:55 AM
@stevewood I've been seeing the same. Once I purge that zoomus.db file it seems to load the preferences correctly. Given this article from Zoom I was really hoping it would work with a config profile but no dice.
Posted on 07-09-2019 07:58 AM
I am not seeing either of the defaults write commands work on a 10.13 machine. The checkbox does not get turned on to disable video. Haven't tried "sdamiano" solution yet.....
Posted on 07-09-2019 08:12 AM
I've tried each script in this thread and none of them has changed the setting to "turn off video" for me in testing. Has anyone had success with this and are you willing to share your script or the screenshots of the settings around the policy? I'm relatively new to this and could easily be making a simple mistake.
Thanks!
Posted on 07-09-2019 08:19 AM
Thanks for the feedback.
I'm seeing us.zoom.xos.plist
as the right file to tweak. Also,
One more we may want to touch up?
~/Library/Preferences/us.zoom.ringcentral.plist
I imagine this may have the same "video on" default?
Posted on 07-09-2019 08:26 AM
Just putting this together and it seems to set the preferences as expected.
#!/bin/bash
# Disable auto video and auto mic
currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
currentUserHome=$( dscl . read /Users/"$currentUser" NFSHomeDirectory | awk '{print $2}')
prefPath="/Library/Preferences/us.zoom.config.plist"
zoomAppSupportPath="$currentUserHome/Library/Application Support/zoom.us"
#Clear Out existing App Support DB
if [ -e "$zoomAppSupportPath" ]; then
rm -rf "$zoomAppSupportPath"
fi
# Apply to all users on the machine
# Clear any existing preferences
if [ -e "$prefPath" ]; then
rm -rf "$prefPath"
fi
# Apply for all users
defaults write "$prefPath" ZDisableVideo 1
defaults write "$prefPath" MuteVoipWhenJoin 1
chown root:wheel "$prefPath"
# create the placeholder
rm -rf "$currentUserHome/.zoomus"
touch "$currentUserHome/.zoomus"
exit 0
Posted on 07-09-2019 08:28 AM
Been playing with this all morning....I have a script that works for me so far, note that there is no error checking or anything.
Testing:
Install zoomus on computer
test PoC attack, make sure it auto joins and it binds to the 19421 port
Run script - nothing is bound to 19421 when running lsof
Open Zoom app check lsof - nothing running on 19421 still
Run the PoC exploit and Chrome displays a broken image and nothing launches on the machine
#!/bin/bash
#variable declarations###########
#################################
loggedInUser=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')
zoomPID=$(sudo lsof -i :19421 | tail -n 1 | awk '{print $2}')
#################################
#################################
#disable webcam for all accounts#
#################################
defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1
#################################
#################################
#kill zoom server process########
#remove zoom server directory####
#create stub directory###########
#################################
sudo kill -9 $zoomPID
rm -rf /Users/$loggedInUser/.zoomus
pkill "ZoomOpener"; rm -rf /Users/$loggedInUser/.zoomus; touch /Users/$loggedInUser/.zoomus && chmod 000 /Users/$loggedInUser/.zoomus;
pkill "RingCentralOpener"; rm -rf /Users/$loggedInUser/.ringcentralopener; touch /Users/$loggedInUser/.ringcentralopener && chmod 000 /Users/$loggedInUser/.ringcentralopener;
##################################
exit 0
I have set it to run once per user per computer, however 95% of my machines are single user only. Not sure how that will impact some of your environments, but globally setting the webcam preference at least helps a bit
Posted on 07-09-2019 08:32 AM
If you want an EA to tell you if the hidden ZoomOpener.app is installed on a machine here's something I adapted from @cdietrich's post to the #Security MacAdmins Slack channel:
#!/bin/bash
zoomFound="No"
for USER_HOME in /Users/*; do
USER_UID=$(basename "${USER_HOME}")
if [[ -d "${USER_HOME}/.zoomus/ZoomOpener.app" ]]; then
zoomFound="Yes"
fi
done
echo -e "<result>$zoomFound</result>"
Posted on 07-09-2019 08:43 AM
The plist file does not work. However, I have found this on the Zoom site that does. https://support.zoom.us/hc/en-us/articles/115001799006-Mass-Deployment-with-Preconfigured-Settings-for-Mac
There is a separate IT Admin installer that can be run in the same location as the plist file which will configure the disabled setting. I have tested successfully on a number of Macs in our environment. Interestingly enough it does not copy the plist file to the Preferences location (like their guide said it should) ... BUT it does work.
I'm still trying to figure out where it actually is saving the config setting. No luck on that yet.
Posted on 07-09-2019 09:52 AM
@andrew.nicholas I used the .plist chunk of your script with the kill pid section of my previous post and it worked successfully. I then changed the preferences back and flushed logs and it reset the preferences back for me.
this is what I ended up with
#!/bin/bash
# Disable auto-video on Zoom
# For just your local account
currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
currentUserHome=$( dscl . read /Users/"$currentUser" | awk '{print $2}')
prefPath="/Library/Preferences/us.zoom.config.plist"
zoomAppSupportPath="$currentUserHome/Application Support/zoom.us"
#Clear Out existing App Support DB
if [ -e "$zoomAppSupportPath" ]; then
rm -rf "$zoomAppSupportPath"
fi
# Apply to all users on the machine
# Clear any existing preferences
if [ -e "$prefPath" ]; then
rm -rf "$prefPath"
fi
# Apply for all users
defaults write "$prefPath" ZDisableVideo 1
defaults write "$prefPath" MuteVoipWhenJoin 1
chown root:wheel "$prefPath"
# Delete webserver
zoompid=`lsof -ti :19421`
echo "$zoompid"
if [ -z "$zoompid" ] ; then
echo "zoompid not found"
else
kill -9 "$zoompid"
fi
# create the placeholder
rm -rf "$currentUserHome/.zoomus"
touch "$currentUserHome/.zoomus"
exit 0
EDIT: Fixed bottom section
EDIT: Fixed User direction.
Posted on 07-09-2019 09:56 AM
@strayer glad to hear it but you might want to address the bottom section of the script. It's still referencing the homedir of the account running the script.
Posted on 07-09-2019 10:15 AM
I made a custom preference profile to stop the webcam from joining automatically as well after running the terminal command from the medium post with the plist it generates.
Posted on 07-09-2019 10:19 AM
@sharriston Does the app actually honor the config? I tried the same and it would not.
Posted on 07-09-2019 10:24 AM
@andrew.nicholas So far it has been on all my coworkers machines. What I did was run this command
sudo defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1
then copied that plist into the custom preferences section of a config profile. I would make sure you ran the /Library version of the command and not the ~/Library, that was an issue someone else had with it.
Posted on 07-09-2019 10:35 AM
Yes the application is honoring the locally created preference file but is the custom configuration profile being honored on a machine that has not run the defaults write command?
Posted on 07-09-2019 10:58 AM
@andrew.nicholas I am seeing that on some older test machines as well.
Posted on 07-09-2019 11:18 AM
Has anyone found that setting ZDisableVideo in /Library/Preferences/us.zoom.config.plist disables video completely?
I'm seeing weird behavior in that the user can't click "Start Video" after joining a meeting.
Posted on 07-09-2019 11:39 AM
I had that experience @jtrant. Was resolved by a reinstall of the zoom app, but I'm unclear on why it happened or if I can expect it to happen when I roll out the fix to the larger group of users.
Posted on 07-09-2019 11:39 AM
I've tried everything in this post, but nothing seems to work. Any other suggestions?
Posted on 07-09-2019 11:42 AM
@jtrant Looks that way. This whole thing has gotten to be a bit of a cluster to be honest as it seems no one has a truly great idea of the application management capabilities and the application itself seems to be a pandoras box of fun. According to a post in the similar thread on /r/sysadmin they will be releasing a patch by midnight tonight.
Posted on 07-09-2019 11:47 AM
Added this to my script to remove Zoom in the User's Application folder (~/Applications/)
#!/bin/sh
#Removes user downloaded Zoom
if [ -e /Users/*/Applications/zoom.us.app ]; then
rm -rf /Users/*/Applications/zoom.us.app
fi
#Remove .zoomus for all users
if [ -e /Users/*/.zoomus ]; then
rm -rf /Users/*/.zoomus
fi
Posted on 07-09-2019 12:01 PM
At least it's not just me.
Posted on 07-09-2019 12:02 PM
So through testing and a ton of help from the macadmins slack group the issue seems to be that if you have installed the public desktop version of zoom and run
defaults write /Library/Preferences/us.zoom.config.plist 1
The public version of zoom does not repect that plist, only the ITAdmin download of zoom will respect that plist. Now how do we figure out which version a user has.
Posted on 07-09-2019 12:46 PM
I'm in the same boat as @ageevarughese . Tried everything, and the video function is still enable. Upload the customer plist and same result.
Cloud it be disable via Zoom admin console?
Posted on 07-09-2019 01:00 PM
Sorry if I missed this being mentioned already, but what about removing the right to the camera from Security and Privacy in System Preferences to not allow Zoom access to the camera?
Posted on 07-09-2019 01:09 PM
In addition to my last post - I've been able to use the composer application to create a new pkg file which you can then push out via Jamf. Confirmed working and not having the video issues mentioned above.
Posted on 07-09-2019 01:22 PM
@andrew.nicholas your bit to figure out the home dir is slightly off. Your missing /Users/
before the user name. You have:
currentUserHome=$( dscl . read "$currentUser" NFSHomeDirectory | awk '{print $2}')
Should be: currentUserHome=$( dscl . read /Users/"$currentUser" NFSHomeDirectory | awk '{print $2}')
Otherwise the variable is blank.
The road we are taking is to package up the Zoom IT Installer, along with the plist, drop into /tmp and then install that. We are scoping any machine with Zoom installed regardless of version. Kind of heavy handed, but it gets it done. And the postinstall script that does the installation also deletes the web server folder and creates a new folder that is locked:
#!/bin/bash
currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
currentUserHome=$( dscl . read /Users/"$currentUser" NFSHomeDirectory | awk '{print $2}')
/usr/sbin/installer -pkg /tmp/ZoomInstallerIT.pkg -target /
# Delete webserver
zoompid=`lsof -ti :19421`
echo "$zoompid"
if [ -z "$zoompid" ] ; then
echo "zoompid not found"
else
kill -9 "$zoompid"
fi
rm -rf "$currentUserHome/.zoomus"
touch "$currentUserHome/.zoomus"
chmod 000 "$currentUserHome/.zoomus"
exit 0
We are also deploying a login script that will use Outset to run at every login to check for the web server, delete if present, and lock it. Basically using the last few lines of that postinstall script.
On top of that, we are pushing out the latest Outlook plug-in for users that have that installed.
A big thank you to all of you that did the leg work for me today. ;-)
Posted on 07-09-2019 01:27 PM
Update from Zoom just now is that a client with a fix for the web server is being released tonight, followed by another release July 12th with a fix for the default video settings.
Posted on 07-09-2019 01:45 PM
@jalbert That will totally disable the camera and prevent users from using it when they need to use it.