Skip to main content
Question

Zoom Exploit


Show first post

103 replies

Forum|alt.badge.img+7

@andrew.nicholas tnx, this did it!


Forum|alt.badge.img+6
  • New Contributor
  • 27 replies
  • July 11, 2019

Hello not sure if anyone saw this but Apple actually is removing the web server via silent update. Actually it is done through XProtect.

https://www.macrumors.com/2019/07/10/apple-update-remove-zoom-server/


Forum|alt.badge.img+4

@kmathern they deployed an update to MRT (malware removal tool). If a machine has ver. 1.45 of MRT, it is patched to prevent the web server issue. My machine received the update at 9:03am est today automatically pushed and silently from apple.


Forum|alt.badge.img+20
  • Valued Contributor
  • 193 replies
  • July 11, 2019

Hey Guys, I put together a quick post to show you how to manually download only the MRTConfigData v1.45 update AND manually run it using the MRT Binary.

https://mrmacintosh.com/how-to-remediate-the-zoom-vulnerability-with-apple-malware-removal-tool/


sdagley
Forum|alt.badge.img+25
  • Jamf Heroes
  • 3540 replies
  • July 11, 2019

@ClassicII Either I'm seeing an odd layout, or it looks like some of the software update commands in your article had the -- (double minus?) replaced with an – (en dash).


Forum|alt.badge.img+20
  • Valued Contributor
  • 193 replies
  • July 11, 2019

@sdagley

Thank you for the heads up! That is exactly what happened, in the code I had - - but it was converted to one -. I changed the formatting to code so shows up properly now. You win the Mr. Macintosh Eagle Eye Award for the day! :)


donmontalvo
Forum|alt.badge.img+36
  • Legendary Contributor
  • 4293 replies
  • July 12, 2019

Forum|alt.badge.img+20
  • Valued Contributor
  • 193 replies
  • July 12, 2019

The Zoom thing just turned from opening up an unwanted meeting with the camera on to full blown RCE.

https://nvd.nist.gov/vuln/detail/CVE-2019-13567

If you are scoping for only the app in your policies, you may not catch everyone. If users heard of the news and deleted the app the web server still remains!!!

Even worse the MRT Scanner does not until after a reboot.

Update your Machines and Force MRT scanner to run without a reboot!


donmontalvo
Forum|alt.badge.img+36
  • Legendary Contributor
  • 4293 replies
  • July 15, 2019

[EDIT: To support MRTConfigData 1.60.]

We opened a ticket with Apple, they advised we run as daemon (-d).

This script checks MRT version, downloads the update, then runs MRT, then checks the version again:

#!/bin/sh

verString=$( defaults read /System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString )

# Check MRT version
echo "MRT is version ${verString}."

# Update MRT
echo "Updating MRT."
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.60 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.59 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.58 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.57 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.56 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.55 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.54 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.53 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.52 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.51 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.50 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.49 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.48 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.47 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.46 --include-config-data 2>/dev/null
/usr/sbin/softwareupdate -i MRTConfigData_10_14-1.45 --include-config-data 2>/dev/null

# Run as daemon
#echo "Running MRT as daemon."
#/System/Library/CoreServices/MRT.app/Contents/MacOS/MRT -d

# Check MRT version
echo "MRT is version ${verString}."

exit 0

EA for reporting:

#!/bin/sh

MRTvers=$( /usr/bin/defaults read /System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString )

echo "<result>$MRTvers</result>"

We have a Smart Computer Group that reports on computers having 1.4.5 thru 1.60 for a bit of future proofing.

However, would not exclude any computers, since MRT might be up to date but not have run.... :)

Thanks @ClassicII for your awesome blog, Apple likes it too!


ImAMacGuy
Forum|alt.badge.img+23
  • Esteemed Contributor
  • 1310 replies
  • July 16, 2019

Looks like a tweaked version of the client is out...
4.4.55313.0714


Forum|alt.badge.img+7
  • Contributor
  • 17 replies
  • July 16, 2019

Hey guys

So if I wanted to just see my affected users, I could run that handysmart group check that @balexander posted, correct? And then we can just run the MRT update script to every computer in our environment to make sure we're all good yeah? Apologies as I am literally just getting back from vaycay and making sure I got everything haha. I want to ensrue there is nothing else I am missing. Besides the MRT to everyone, is there anything else I should ensure we run?


Forum|alt.badge.img+4

that should do it. and to be honest, at this point MRT has probably updated on any machines that have been online the past week or so. It seems to happen pretty quickly and automagically. also; just checked and looks like the current MRT version is still 1.45, so you can keep that value for the smart group value.


Forum|alt.badge.img+13
  • Honored Contributor
  • 550 replies
  • July 17, 2019

MRT 1.46 and Gatekeeper 172 were released late yesterday afternoon


Forum|alt.badge.img+4

i see posts everywhere about 1.46, but am not seeing it actually being available yet. weird.


Forum|alt.badge.img+6
  • New Contributor
  • 17 replies
  • July 17, 2019

I was able to get 1.46 (and new Gatekeeper) with:

softwareupdate -i -r --include-config-data


donmontalvo
Forum|alt.badge.img+36
  • Legendary Contributor
  • 4293 replies
  • July 17, 2019

@Nix4Life

MRT 1.46 and Gatekeeper 172 were released late yesterday afternoon

Would be nice if Apple provided an MRT release notes page.


Forum|alt.badge.img+4

yeah @kfbbt if i run /usr/sbin/softwareupdate -i MRTConfigData_10_14-1.46 --include-config-data it updates to 1.46 just fine.


Forum|alt.badge.img+13
  • Honored Contributor
  • 550 replies
  • July 17, 2019

We have a reposado server. Agree @donmontalvo . How you holding up out there buddy


Forum|alt.badge.img+13
  • Honored Contributor
  • 550 replies
  • July 17, 2019

oh and here's another zoom update for ya

zoom.us v 4.4.55387.0716

is zoom the new flash?

dueces


Forum|alt.badge.img+4

Or for the love of.....

https://9to5mac.com/2019/07/16/ringcentral-and-zhumu-macos-update/

apparently 1.46 was pushed because everything is poisonous and all software vendors are against us :)


Forum|alt.badge.img+7
  • Contributor
  • 18 replies
  • July 18, 2019

Nix4Life...The new flash. 4.4.55387.0716 released without release notes and/or notice. Thanks Zoom!


Forum|alt.badge.img+20
  • Valued Contributor
  • 193 replies
  • July 18, 2019

This zoom thing keeps on going!!!

10 more Zoom Vulnerabilities and a new RCE found.

  1. /.ringcentralopener
  2. /.telusmeetingsopener
  3. /.btcloudphonemeetingsopener
  4. /.officesuitehdmeetingopener
  5. /.attvideomeetingsopener
  6. /.bizconfopener
  7. /.huihuiopener
  8. /.umeetingopener
  9. /.zhumuopener 10./.zoomcnopener

I tried to put all this new stuff on Zoom and MRT in a big Index of Information and links for you.

https://mrmacintosh.com/zoom-vulnerably-round-2-10-more-variants-index-of-mrt-links-info/


donmontalvo
Forum|alt.badge.img+36
  • Legendary Contributor
  • 4293 replies
  • July 18, 2019

Wow, updated script to support 1.47, but holy mudder of gawd, what a mess.

@Nix4Life zoom.us is killing me man...killing me...haha


Forum|alt.badge.img+20
  • Valued Contributor
  • 193 replies
  • July 18, 2019

No kidding @donmontalvo !!!!

I mean how many different Zoom variants are out there? We are now at 14 total, you would think zoom would know exactly how many exist.


Forum|alt.badge.img
  • New Contributor
  • 1 reply
  • July 25, 2019

Hey all!

Apoliogies for sounding pretty inept at folowing this, but for someone just getting back from a vaycay and seeing this all, Im trying to make sure im current haha...

So to ensure I nail down which of my end users are affected by this, I can run a smart group check, and set it up like @balexander did? (thank you so much for that!)

And then is it simply a matter of running a script like the one in the deflounder page and then ensure the MRT update is run on all computers? Would that be an effective way of going about this? Am I doing too much? too little? Apologies as I work in a k-12 so we want to ensure we get everyone taken care of.

Thanks so much for any help


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings