Skip to main content

For those of you who wake up to Zoom Exploit news.



You can set ZoomOpener.app as a Restricted Software.



Kill Process
Restrict to exact process name
Kill Process.



I would not recommend turning on Send Email or Message to the user.

Info about the exploit here:
https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5



Mac Chrome users can also reset Chrome to no open up Zoom automatically however its a little painful:
Directions here: https://lifehacker.com/reset-chrome-to-stop-automatically-opening-apps-1820404423



I changed {"zoommtg":false} to {"zoommtg":true} and saved. It now prompts to open Zoom again.


Yep just actioned the above, also added zoom.us.app to restrictions


It seems Zoom gets hit by the bad news bug every six months or so.


In case anyone is looking for an automated/deployable way of executing the commands recommended on the blog post. Meant to be run as root; global defaults command will fail if non-admin.



#!/bin/bash

# Disable auto-video on Zoom
# For just your local account
user=`stat -f "%Su" /dev/console`
defaults write "$user"/Library/Preferences/us.zoom.config.plist ZDisableVideo 1
# For all users on the machine
defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1

# Delete webserver
zoompid=`lsof -ti :19421`
kill -9 "$zoompid"
rm -rf "$user"/.zoomus
touch "$user"/.zoomus

is deleting the webserver critical? I thought i saw it would just reinstall itself?


added a little logic to @zbennis script so it doesn't error out if it doesn't find the PID



#!/bin/bash

# Disable auto-video on Zoom
# For just your local account
user=`stat -f "%Su" /dev/console`
defaults write "$user"/Library/Preferences/us.zoom.config.plist ZDisableVideo 1
# For all users on the machine
defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1

# Delete webserver
zoompid=`lsof -ti :19421`
echo "$zoompid"
if [ -z "$zoompid" ] ; then
echo "zoompid not found"
else
kill -9 "$zoompid"
fi
rm -rf ~/.zoomus
touch ~/.zoomus

exit 0

Work in progress.



#!/bin/bash
# For all users on the machine
defaults write ~/Library/Preferences/us.zoom.xos.plist ZDisableVideo 1
defaults write ~/Library/Preferences/us.zoom.ringcentral.plist ZDisableVideo 1

#Kill Zoom Opener Apps
pkill "ZoomOpener"
pkill "RingCentralOpener"

#Remove Zoom Opener webservices
rm -rf ~/.zoomus
rm -rf ~/.ringcentralopener

#Create empty folders
touch ~/.zoomus
touch ~/.ringcentralopener

exit


Editing to incorporate some of the feedback, thanks all. Not sure about the "Disable Video" for Ring Central but testing.


@jhatem @zbennis @strayer



Are you seeing success with those defaults write commands? I'm testing on my machine, and that plist does not exist in either location, and if I put that plist in both locations it has no effect on the disable video pref.



Looking at files that are changed when making that pref change in Zoom, it looks like only the /Users/<user>/Library/Application Support/zoom.us/Data/zoomus.db file and /Users/<user>/Library/Preferences/us.zoom.xos.plist files are changed.


@jhatem
if you don't



touch ~/.zoomus


after you remove it then next time they open zoom up it will rebuild the same thing.


So I took the script for killing zoomopener and preventing it from being re-installed from the medium article and re-wrote it in a jamf compatible fashion.



# To prevent the vulnerable server from running on your machine
# (this does not impact Zoom functionality), run these two lines in your Terminal.

pkill "ZoomOpener"; rm -rf /Users/$3/.zoomus; touch /Users/$3/.zoomus && chmod 000 /Users/$3/.zoomus;

pkill "RingCentralOpener"; rm -rf /Users/$3/.ringcentralopener; touch /Users/$3/.ringcentralopener && chmod 000 /Users/$3/.ringcentralopener;


It is honestly just replacing
~ with /Users/$3/ but it gets the job done.



This does not prevent the folders from being modified if they do not already exist. Our company uses Zoom, so we all have this.



In regards to the automatically start video preference file, we need to discuss internally what the best course of action is as that would have a huge impact on our users.



edit: The reason why we would want to use a defaults write command to fix the don't start video automatically preference is that a plist would potentially override all of the other settings in the app, correct? Or has no one tested this method?


@stevewood Gotta be honest, I haven't tested the preference portion of the script at all. We were much more concerned about the webserver chunk at the bottom. I was mostly just trusting @zbennis on the top chunk.


@stevewood I've been seeing the same. Once I purge that zoomus.db file it seems to load the preferences correctly. Given this
article from Zoom I was really hoping it would work with a config profile but no dice.


I am not seeing either of the defaults write commands work on a 10.13 machine. The checkbox does not get turned on to disable video. Haven't tried "sdamiano" solution yet.....


I've tried each script in this thread and none of them has changed the setting to "turn off video" for me in testing. Has anyone had success with this and are you willing to share your script or the screenshots of the settings around the policy? I'm relatively new to this and could easily be making a simple mistake.



Thanks!


Thanks for the feedback.
I'm seeing us.zoom.xos.plist as the right file to tweak. Also,



One more we may want to touch up?
~/Library/Preferences/us.zoom.ringcentral.plist I imagine this may have the same "video on" default?


Just putting this together and it seems to set the preferences as expected.



#!/bin/bash
# Disable auto video and auto mic

currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
currentUserHome=$( dscl . read /Users/"$currentUser" NFSHomeDirectory | awk '{print $2}')
prefPath="/Library/Preferences/us.zoom.config.plist"
zoomAppSupportPath="$currentUserHome/Library/Application Support/zoom.us"

#Clear Out existing App Support DB
if [ -e "$zoomAppSupportPath" ]; then
rm -rf "$zoomAppSupportPath"
fi

# Apply to all users on the machine
# Clear any existing preferences
if [ -e "$prefPath" ]; then
rm -rf "$prefPath"
fi

# Apply for all users
defaults write "$prefPath" ZDisableVideo 1
defaults write "$prefPath" MuteVoipWhenJoin 1
chown root:wheel "$prefPath"

# create the placeholder
rm -rf "$currentUserHome/.zoomus"
touch "$currentUserHome/.zoomus"


exit 0

Been playing with this all morning....I have a script that works for me so far, note that there is no error checking or anything.
Testing:
Install zoomus on computer
test PoC attack, make sure it auto joins and it binds to the 19421 port
Run script - nothing is bound to 19421 when running lsof
Open Zoom app check lsof - nothing running on 19421 still
Run the PoC exploit and Chrome displays a broken image and nothing launches on the machine



#!/bin/bash

#variable declarations###########
#################################
loggedInUser=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')
zoomPID=$(sudo lsof -i :19421 | tail -n 1 | awk '{print $2}')
#################################


#################################
#disable webcam for all accounts#
#################################
defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1
#################################

#################################
#kill zoom server process########
#remove zoom server directory####
#create stub directory###########
#################################
sudo kill -9 $zoomPID
rm -rf /Users/$loggedInUser/.zoomus
pkill "ZoomOpener"; rm -rf /Users/$loggedInUser/.zoomus; touch /Users/$loggedInUser/.zoomus && chmod 000 /Users/$loggedInUser/.zoomus;

pkill "RingCentralOpener"; rm -rf /Users/$loggedInUser/.ringcentralopener; touch /Users/$loggedInUser/.ringcentralopener && chmod 000 /Users/$loggedInUser/.ringcentralopener;
##################################




exit 0


I have set it to run once per user per computer, however 95% of my machines are single user only. Not sure how that will impact some of your environments, but globally setting the webcam preference at least helps a bit


If you want an EA to tell you if the hidden ZoomOpener.app is installed on a machine here's something I adapted from @cdietrich's post to the #Security MacAdmins Slack channel:



#!/bin/bash

zoomFound="No"

for USER_HOME in /Users/*; do
USER_UID=$(basename "${USER_HOME}")
if [[ -d "${USER_HOME}/.zoomus/ZoomOpener.app" ]]; then
zoomFound="Yes"
fi
done

echo -e "<result>$zoomFound</result>"

The plist file does not work. However, I have found this on the Zoom site that does.
https://support.zoom.us/hc/en-us/articles/115001799006-Mass-Deployment-with-Preconfigured-Settings-for-Mac



There is a separate IT Admin installer that can be run in the same location as the plist file which will configure the disabled setting. I have tested successfully on a number of Macs in our environment. Interestingly enough it does not copy the plist file to the Preferences location (like their guide said it should) ... BUT it does work.



I'm still trying to figure out where it actually is saving the config setting. No luck on that yet.


@andrew.nicholas I used the .plist chunk of your script with the kill pid section of my previous post and it worked successfully. I then changed the preferences back and flushed logs and it reset the preferences back for me.
this is what I ended up with



#!/bin/bash

# Disable auto-video on Zoom
# For just your local account
currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
currentUserHome=$( dscl . read /Users/"$currentUser" | awk '{print $2}')
prefPath="/Library/Preferences/us.zoom.config.plist"
zoomAppSupportPath="$currentUserHome/Application Support/zoom.us"

#Clear Out existing App Support DB
if [ -e "$zoomAppSupportPath" ]; then
rm -rf "$zoomAppSupportPath"
fi

# Apply to all users on the machine
# Clear any existing preferences
if [ -e "$prefPath" ]; then
rm -rf "$prefPath"
fi

# Apply for all users
defaults write "$prefPath" ZDisableVideo 1
defaults write "$prefPath" MuteVoipWhenJoin 1
chown root:wheel "$prefPath"

# Delete webserver
zoompid=`lsof -ti :19421`
echo "$zoompid"
if [ -z "$zoompid" ] ; then
echo "zoompid not found"
else
kill -9 "$zoompid"
fi

# create the placeholder
rm -rf "$currentUserHome/.zoomus"
touch "$currentUserHome/.zoomus"

exit 0


EDIT: Fixed bottom section
EDIT: Fixed User direction.


@strayer glad to hear it but you might want to address the bottom section of the script. It's still referencing the homedir of the account running the script.



I made a custom preference profile to stop the webcam from joining automatically as well after running the terminal command from the medium post with the plist it generates.


@sharriston Does the app actually honor the config? I tried the same and it would not.


@andrew.nicholas So far it has been on all my coworkers machines. What I did was run this command



sudo defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1


then copied that plist into the custom preferences section of a config profile. I would make sure you ran the /Library version of the command and not the ~/Library, that was an issue someone else had with it.


Yes the application is honoring the locally created preference file but is the custom configuration profile being honored on a machine that has not run the defaults write command?


Reply