Skip to main content
Question

Zoom Exploit


Show first post

103 replies

Forum|alt.badge.img
  • New Contributor
  • 1 reply
  • July 10, 2019

@jwojda I think we might have Tesla to thank for that...
(line 350 from the ZoomInstallerIT postinstall script)

#ZOOM-34627 requirement from Tesla for not opening zoom.us.app{
#launch zoomus app

#exec "$2/Contents/MacOS/ZoomPresence"
#ZOOM-34627 requirement from Tesla for not opening zoom.us.app}

Forum|alt.badge.img+2
  • New Contributor
  • 2 replies
  • July 10, 2019

Here's all the related files I've found so far, anyone have anything I might have missed?

/Applications/zoom.us.app
/Library/Preferences/us.zoom.config.plist
~/Library/Application Support/zoom.us/Data/zoomus.db
~/Library/Preferences/us.zoom.config.plist
~/Library/Preferences/us.zoom.xos.plist
~/Library/Preferences/us.zoom.xos.plist
~/Library/Preferences/us.zoom.ringcentral.plist
~/.ringcentralopener
~/.zoomus


Forum|alt.badge.img+8
  • Contributor
  • 30 replies
  • July 10, 2019

Der Flounder to the rescue!

https://derflounder.wordpress.com/2019/07/10/zoom-vulnerability-and-remediation-script/#more-10415


Forum|alt.badge.img+6
  • Contributor
  • 45 replies
  • July 10, 2019

here is what we used and so far it's working
Kill Zoom Proccess

#!/bin/bash

procList=("zoom.us"
"zOutlookPluginAgent")

for proc in "${procList[@]}"; do
    runningProc=$(ps axc | grep -i "$proc" | awk '{print $1}')
    if [[ $runningProc ]]; then
        echo "Found running process $proc with PID: ${runningProc}. Killing it..."
        kill $runningProc
    else
        echo "$proc not found running..."
    fi
done

Remove Zoom Script

#! /bin/bash
echo Cleaning Zoom...
echo Cleaning Application Cached Files...
sudo rm -rf ~/Library/Application Support/zoom.us
echo Cleaning Application...
{
  sudo rm -rf /Applications/zoom.us.app
  sudo rm -rf ~/Applications/zoom.us.app
  sudo kextunload -b zoom.us.ZoomAudioDevice
  sudo rm -rf /System/Library/Extensions/ZoomAudioDevice.kext
  sudo rm -rf ~/.zoomus/ZoomOpener.app/Contents/MacOS/ZoomOpener
} &> /dev/null
echo Cleaning Outlook Plugin...
{
  sudo rm -rf /Users/$USER/Library/Containers/com.microsoft.Outlook/Data/Documents/ZoomOutlookPlugin
  sudo rm -rf /Library/ScriptingAdditions/zOLPluginInjection.osax
  sudo rm -rf /Applications/ZoomOutlookPlugin
  sudo rm -rf /Users/Shared/ZoomOutlookPlugin
  sudo rm -rf /Library/LaunchAgents/us.zoom.pluginagent.plist
} &> /dev/null
echo Removed Application...

and run this script from Install and Update Zoom Script.
The only thing i modify is turn off the auto full screen and dual monitor.

#!/bin/sh
#####################################################################################################
#
# ABOUT THIS PROGRAM
#
# NAME
#       ZoomInstall.sh -- Installs or updates Zoom
#
# SYNOPSIS
#       sudo ZoomInstall.sh
#
####################################################################################################
#
# HISTORY
#
#       Version: 1.0
#
#       - Shannon Johnson, 28.9.2018
#       (Adapted from the FirefoxInstall.sh script by Joe Farage, 18.03.2015)
#
####################################################################################################
# Script to download and install Zoom.
# Only works on Intel systems.
#

# Set preferences - set to anything besides "true" to disable
hdvideo="true"
ssodefault="true"
ssohost="psu.zoom.us"


# choose language (en-US, fr, de)
lang=""
# CHECK TO SEE IF A VALUE WAS PASSED IN PARAMETER 1 AND, IF SO, ASSIGN TO "lang"
if [ "$4" != "" ] && [ "$lang" == "" ]; then
        lang=$4
else 
        lang="en-US"
fi

pkgfile="ZoomInstallerIT.pkg"
plistfile="us.zoom.config.plist"
logfile="/Library/Logs/ZoomInstallScript.log"

# Are we running on Intel?
if [ '`/usr/bin/uname -p`'="i386" -o '`/usr/bin/uname -p`'="x86_64" ]; then
        ## Get OS version and adjust for use with the URL string
        OSvers_URL=$( sw_vers -productVersion | sed 's/[.]/_/g' )

        ## Set the User Agent string for use with curl
        userAgent="Mozilla/5.0 (Macintosh; Intel Mac OS X ${OSvers_URL}) AppleWebKit/535.6.2 (KHTML, like Gecko) Version/5.2 Safari/535.6.2"

        # Get the latest version of Reader available from Zoom page.
        latestver=`/usr/bin/curl -s -A "$userAgent" https://zoom.us/download | grep 'ZoomInstallerIT.pkg' | awk -F'/' '{print $3}'`
        echo "Latest Version is: $latestver"

        # Get the version number of the currently-installed Zoom, if any.
        if [ -e "/Applications/zoom.us.app" ]; then
                currentinstalledver=`/usr/bin/defaults read /Applications/zoom.us.app/Contents/Info CFBundleShortVersionString`
                echo "Current installed version is: $currentinstalledver"
                if [ ${latestver} = ${currentinstalledver} ]; then
                        echo "Zoom is current. Exiting"
                        exit 0
                fi
        else
                currentinstalledver="none"
                echo "Zoom is not installed"
        fi

        url="https://zoom.us/client/${latestver}/ZoomInstallerIT.pkg"

        echo "Latest version of the URL is: $url"
        echo "`date`: Download URL: $url" >> ${logfile}

        # Compare the two versions, if they are different or Zoom is not present then download and install the new version.
        if [ "${currentinstalledver}" != "${latestver}" ]; then

                # Construct the plist file for preferences
                echo "<?xml version="1.0" encoding="UTF-8"?>
                 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
                 <plist version="1.0">
                 <dict>
                        <key>nogoogle</key>
                        <string>1</string>
                        <key>nofacebook</key>
                        <string>1</string>
                        <key>ZDisableVideo</key>
                        <true/>
                        <key>ZAutoJoinVoip</key>
                        <true/>
                        <key>ZDualMonitorOn</key>
                        <false/>" >> /tmp/${plistfile}

                if [ "${ssohost}" != "" ]; then
                        echo "
                        <key>ZAutoSSOLogin</key>
                        <true/>
                        <key>ZSSOHost</key>
                        <string>$ssohost</string>" >> /tmp/${plistfile}
                fi

                echo "<key>ZAutoFullScreenWhenViewShare</key>
                        <false/>
                        <key>ZAutoFitWhenViewShare</key>
                        <false/>" >> /tmp/${plistfile}

                if [ "${hdvideo}" == "true" ]; then
                        echo "<key>ZUse720PByDefault</key>
                        <true/>" >> /tmp/${plistfile}
                else
                        echo "<key>ZUse720PByDefault</key>
                        <false/>" >> /tmp/${plistfile}
                fi

                echo "<key>ZRemoteControlAllApp</key>
                        <true/>
                </dict>
                </plist>" >> /tmp/${plistfile}

                # Download and install new version
                /bin/echo "`date`: Current Zoom version: ${currentinstalledver}" >> ${logfile}
                /bin/echo "`date`: Available Zoom version: ${latestver}" >> ${logfile}
                /bin/echo "`date`: Downloading newer version." >> ${logfile}
                /usr/bin/curl -L -o /tmp/${pkgfile} ${url}
                /bin/echo "`date`: Installing PKG..." >> ${logfile}
                /usr/sbin/installer -allowUntrusted -pkg /tmp/${pkgfile} -target /

                /bin/sleep 10
                /bin/echo "`date`: Deleting downloaded PKG." >> ${logfile}
                /bin/rm /tmp/${pkgfile}

                #double check to see if the new version got updated
                newlyinstalledver=`/usr/bin/defaults read /Applications/zoom.us.app/Contents/Info CFBundleShortVersionString`
        if [ "${latestver}" = "${newlyinstalledver}" ]; then
                /bin/echo "`date`: SUCCESS: Zoom has been updated to version ${newlyinstalledver}" >> ${logfile}
                # /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType hud -title "Zoom Installed" -description "Zoom has been updated." &
        else
                /bin/echo "`date`: ERROR: Zoom update unsuccessful, version remains at ${currentinstalledver}." >> ${logfile}
                /bin/echo "--" >> ${logfile}
                        exit 1
                fi

        # If Zoom is up to date already, just log it and exit.
        else
                /bin/echo "`date`: Zoom is already up to date, running ${currentinstalledver}." >> ${logfile}
        /bin/echo "--" >> ${logfile}
        fi      
else
        /bin/echo "`date`: ERROR: This script is for Intel Macs only." >> ${logfile}
fi

exit 0

dan-snelson
Forum|alt.badge.img+28
  • Honored Contributor
  • 632 replies
  • July 10, 2019

Thanks for the EA, @sdagley. I changed a line when found to report back the installed version:

#!/bin/bash
# https://www.jamf.com/jamf-nation/discussions/32561/zoom-exploit#responseChild187183

zoomFound="No"

for USER_HOME in /Users/*; do
  USER_UID=$(basename "${USER_HOME}")
  if [[ -d "${USER_HOME}/.zoomus/ZoomOpener.app" ]]; then
    zoomFound="`/usr/bin/defaults read ${USER_HOME}/.zoomus/ZoomOpener.app/Contents/Info.plist CFBundleShortVersionString`"
  fi
done

echo "<result>${zoomFound}</result>"

exit 0

BrysonTyrrell
Forum|alt.badge.img+19
  • Valued Contributor
  • 85 replies
  • July 10, 2019

@dan-snelson I am told a patch definition update for Zoom will be out shortly.


Forum|alt.badge.img+4
  • New Contributor
  • 29 replies
  • July 10, 2019

@danny.gutman "When will Jamf update Patch Management to include the latest version? How are you guys rolling out the new update?"
Also wondering about this, do most of you just wait for patch definition updates? Is @adam.ashworth's workflow a good way to do this?


danny_gutman
Forum|alt.badge.img+7

@Garci4, honestly just wanted to roll it out already, can't wait for Jamf to update Patch Management.

I just created a smart group targeting all Macs not having the latest version, and scoped that to a policy that includes the latest ZoomITInstaller package. Worked fine for me.


Forum|alt.badge.img+11
  • Employee
  • 40 replies
  • July 10, 2019

Hey folks!

The zoom.us 4.4.53932.0709 update for Patch Management is now updated in the zoom.us Software Title.

Thanks!

Jon


Forum|alt.badge.img+1
  • New Contributor
  • 1 reply
  • July 10, 2019

Has anyone tested deploying the new IT installer package over the old version? Does it disable the web server portion and clean up properly? Or are you deploying that update with a script to make sure that gets nuked properly?


flamingo
Forum|alt.badge.img+4
  • New Contributor
  • 2 replies
  • July 10, 2019

@danny.gutman When you pushed out the new package, did it uninstall the previous version, removing all the components?

And did it transfer over and personalized settings the users may have?

Cheers!


dan-snelson
Forum|alt.badge.img+28
  • Honored Contributor
  • 632 replies
  • July 10, 2019
Begin forwarded message: From: Jamf Pro Beta Server noreply@churchofjesuschrist.org Subject: zoom.us v4.4.53932.0709 is available Date: July 10, 2019 at 12:27:44 PM MDT Updates for zoom.us are available. Title: zoom.us Version: 4.4.53932.0709 Publisher: Zoom Video Communications, Inc.

Thanks @brysontyrrell, et al.


Forum|alt.badge.img

@hdsreid @AVmcclint @Bret_P - in my testing today, the web opener is not removed if JAMF updates Zoom in the background with the program open, which is the usual install method in my environment.

After a relaunch, the new version is correct but the web opener is still there, and so still presumably vulnerable. This is the case even the user isn't signed in to Zoom but Zoom is running. Only after closing Zoom completely, did the installer remove the web opener when run via a JAMF policy.

I'm sure some will add a script to their Zoom update policy to force close the app, but the reason why that is not ideal is that, even more than just potentially forcing it closed during a meeting someone is attending, if the user is the meeting organizer, then the meeting is immediately ended for all attendees. Instead, we're using a version of Rich Trouton's script to first mitigate the issue everywhere, and only installing the update via policy after we verify with an extension attribute that the Web Opener doesn't exist in any profile.


keaton
Forum|alt.badge.img+17
  • Employee
  • 55 replies
  • July 10, 2019

Forum|alt.badge.img+3

Zoom has done a new update with the patch, here you can have the new zoom version:

https://zoom.us/download


remus
Forum|alt.badge.img+5
  • Contributor
  • 29 replies
  • July 11, 2019

Interesting…

https://techcrunch.com/2019/07/10/apple-silent-update-zoom-app/


Forum|alt.badge.img+7

How can we check, if this silent apple update was installed on the client? Does anybody know the correct version? (XProtect/Gatekeeper/MRTConfigData version)
(Most of our managed Macs receive their updates from our internal reposado Software Update server. Today I saw a new entry for MRTConfigData with version 1.45)


Forum|alt.badge.img+4

@hansjoerg.watzl to search if the latest update of MRTConfigData has been installed to Mac computers you can use Advanced Computer Searches with simple criteria Packages Installed By Installer.app/SWU and the value com.apple.pkg.MRTConfigData_10_14.16U4071

If you would like to get the correct version of MRTConfigData I suggest to use below command:

defaults read /System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString

There is also a blog of @ClassicII which can help you to track the versions of macOS and Core Apps: macOS System Status & Version Info


Forum|alt.badge.img+7

@lukasz.molenda Thanks, I had to enter the following defaults command to get the version:

defaults read /System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString

But it lists me only version 1.42 and not the current one (1.45).

I tried a manual software update in system preferences before and the log shows a new MRTConfigData version, but it seems, it was not installed.

tail /private/var/log/install.log 
2019-07-11 11:29:49+02 UM00655 softwareupdate_notify_agent[1010]: AssertionMgr: Take com.apple.softwareupdate.NotifyAgentAssertion-BadgingCountChanged assertion with type BackgroundTask for pid 1010, id 0x85EB
2019-07-11 11:29:49+02 UM00655 softwareupdated[1012]: Scan (f=1, d=0) completed 
2019-07-11 11:29:49+02 UM00655 softwareupdated[1012]: 1 updates found:
    041-84505    | MRTConfigData 1.45
2019-07-11 11:29:49+02 UM00655 softwareupdated[1012]: Removing client SUUpdateServiceClient pid=7349, uid=0, installAuth=NO rights=(), transactions=0 (/usr/sbin/softwareupdate)
2019-07-11 11:29:49+02 UM00655 softwareupdate_notify_agent[1010]: SUAppStoreAgentNotifier: Setting badge count to 0: 
2019-07-11 11:29:49+02 UM00655 softwareupdate_notify_agent[1010]: AssertionMgr: Cancel com.apple.softwareupdate.NotifyAgentAssertion-BadgingCountChanged assertion for pid 1010, id 0x85EB
2019-07-11 11:38:28+02 UM00655 installd[7506]: installd: Starting
2019-07-11 11:38:28+02 UM00655 installd[7506]: installd: uid=0, euid=0
2019-07-11 11:38:28+02 UM00655 system_installd[6921]: PackageKit: Install sandbox purging reclaimed 0 KB

Forum|alt.badge.img+4
  • Contributor
  • 11 replies
  • July 11, 2019

Might be a little raw but this would help to see the MRTConfigData from the install log for an extension attribute:

#!/bin/sh

result=$(grep 'MRTConfigData' /private/var/log/install.log | tail -1 | cut -f 3 | sed 's/ | MRTConfigData //')
echo "<result>$result</result>"
exit 0

Forum|alt.badge.img+4

edit: just saw @lukasz.molenda already posted this :)

also; from https://www.jamf.com/jamf-nation/feature-requests/5158/built-in-inventory-fields-for-os-x-macos-security-and-malware-protection-systems

defaults read /System/Library/CoreServices/MRT.app/Contents/version CFBundleShortVersionString


Forum|alt.badge.img+4

so, created an extension attribute to monitor MRT version:

#!/bin/sh
SWU=`defaults read /System/Library/CoreServices/MRT.app/Contents/version CFBundleShortVersionString`
echo "<result>$SWU</result>"

created an extension attribute to monitor for the hidden zoom install (thanks @sdagley :

#!/bin/sh
zoomFound="No"

for USER_HOME in /Users/*; do
  USER_UID=$(basename "${USER_HOME}")
  if [[ -d "${USER_HOME}/.zoomus/ZoomOpener.app" ]]; then
    zoomFound="Yes"
  fi
done

echo -e "<result>$zoomFound</result>"

created a smart group to identified devices affected:

(edited to update smartgroup screenshot)

bobs your uncle?


sdagley
Forum|alt.badge.img+25
  • Jamf Heroes
  • 3540 replies
  • July 11, 2019

@balexander667 The Value you'd want to use to indicate your HiddenZoomInstalled Extension Attribute found something is Yes (zoomFound is the variable used In the script, and it'll be either Yes or No)


Forum|alt.badge.img+4

@sdagley hah! duh, a lot of copying and pasting this morning :)


Forum|alt.badge.img+13

@hansjoerg.watzl try the following command to force MRT

softwareupdate -ia --include-config-data

Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings