Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/8/2021
06:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Zoom Joins Microsoft Teams on List of Enterprise Tools Hacked at Pwn2Own

White-hat hacking event shows yet again why there's no such thing as foolproof security against modern attacks.

A pair of security researchers at the virtual Pwn2Own hacking contest Wednesday exploited a combination of three individual zero-day bugs in the Zoom client to show how attackers could gain complete remote control of any PC or notebook computer on which the video communications software is installed.

Related Content:

Microsoft Teams, Exchange Server, Windows 10 Hacked in Pwn2Own 2021

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: 9 Modern-Day Best Practices for Log Management

The exploit came barely a day after another researcher at Pwn2Own demonstrated code execution on Microsoft Teams, which, like Zoom, has seen a surge in use since the global COVID-19 pandemic forced an increase in remote work at many organizations. The two exploits — and several others against Microsoft Exchange Server, Windows 10, and other technologies — have served as a further reminder of just how vulnerable some core enterprise software and communication products are to modern attacks.

"One of the biggest trends we see is that the participants continue to evolve and adapt to the targets," says Brian Gorenc, senior director of vulnerability research and head of ZDI at Trend Micro, which organizes the event each year. "Even as vendors make exploitation more difficult, contestants find a path to win."

The Zoom exploit garnered security researchers Daan Keuper and Thijs Alkemade of Dutch firm Computest Security an award of $200,000 and 20 so-called Master of Pwn points. Their exploit involved chaining together three bugs in the Zoom messenger client to gain code execution on a target system, without the user have to click or do anything. A Computest statement described the exploit as giving the two researchers control to execute actions on the device running the Zoom client, such as turning on the camera and microphone, reading emails and screen content, and downloading browser history. All of the actions could be taken without the user having to do anything or even noticing the activity.

Unlike previously disclosed vulnerabilities in the Zoom app that mostly allowed for attackers to snoop on video calls, the newly discovered ones are more serious because they give threat actors a way to take over the entire system, Computest said.

A Zoom spokesman Friday acknowledged the issue in the Zoom Chat group messaging product and said the company is currently working on its mitigation. In a statement, the spokesman said the attack demonstrated by the Computest researchers would need to originate from an accepted external contact or be part of the target's same organizational account.

"As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust," the statement noted. "If you think you’ve found a security issue with Zoom products, please send a detailed report to our Vulnerability Disclosure Program in our Trust Center."

The Zoom exploit was one of several high-profile exploits at a Pwn2Own event where some $1.5 million is up for grabs to security researchers who can find and demonstrate exploitable vulnerabilities in a selected list of products across seven categories. Target products included Microsoft Exchange Server and SharePoint under the server category; Teams and Zoom in the enterprise communications section; Microsoft Edge, Google Chrome, and Apple Safari in the browser category; and Adobe Reader and Microsoft Office 365 ProPlus under the enterprise applications category. In a sign of the times, Tesla's Model 3 car was also one of the targets available to researchers.

The annual Pwn2Own contest was launched in 2007 and is part of the CanSecWest security conference. Over the years, the event has become a venue for some of the top white-hat hackers in the world to congregate and take a crack at widely used and popular technologies. The event has become a security proving ground of sorts for technology vendors and has been useful in helping them identify and close vulnerabilities they might have missed themselves. The organizers of Pwn2Own give vendors 90 days to fix vulnerabilities that are disclosed to them at the event.

"The contest has certainly grown and expanded over the last few years," Gorenc says. "We've added categories for automobiles and enterprise communications while maintaining traditional targets like Web browsers and operating systems."  

Numerous Exploits
In the first two days of the three-day contest, security researchers from around the world punched holes in multiple widely used technologies and raked in tens of thousands of dollars in the process.

Jack Dates of RET2 Systems won $100,000 for exploiting an integer overflow error in Apply Safari and an out-of-bounds write issue to get kernel-level code execution. He picked up another $40,000 for combining three vulnerabilities in the Parallels Desktop virtualization software for Apple Macs to execute code on the underlying OS.

Dates' Parallels Desktop exploit was one of two that involved the virtualization technology at this year's Pwn2Own. On Thursday, security researcher Benjamin McBride of L3Harris Trenchant used a memory corruption bug in Parallels Desktop to escape the virtualization layer and execute code on the underlying OS. Like Dates, McBride earned $40,000 for his effort.

Researchers at DEVCORE Security Consulting, meanwhile, picked up $200,000 for showing how attackers could completely take over a Microsoft Exchange server by combining an authentication bypass vulnerability with a local privilege escalation issue in the technology. The discovery is sure to add to the already high concerns around Exchange server prompted by the recent disclosure of four critical zero-day bugs in the technology.

Independent security researcher OV demonstrated code execution on Microsoft Teams by combining a pair of bugs and was paid $200,000 for the effort. A team from Viettel Cyber Security earned $40,000 for showing how attackers could take advantage of an integer overflow bug in Windows 10 to escalate privileges from a regular user to a user with system-level privileges.

Bruno Keith and Niklas Baumstark from Dataflow Security exploited Google Chrome renderer and Microsoft Edge using the same exploit against both browser technologies and netted $100,000 as a reward for their work.

"The biggest takeaway so far is just the breadth of talent that comes to the competition," Gorenc says. "It's great to see the current art of exploitation in action against a variety of targets."   

The exploits targeting Microsoft Exchange Teams and Zoom have been the most significant so far, he says.

"We've already seen the impact Exchange bugs have on enterprises this year, so finding and fixing these bugs before they are used by attackers is huge," Gorenc notes.

Similarly, Microsoft Teams and Zoom are nearly ubiquitous. But there hasn't been a lot of research done on their security.

"Getting researchers to focus their interest here provides the vendors a great resource in resolving these vulnerabilities before they can be used by adversaries," Gorenc says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32716
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-U...
CVE-2021-32717
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibilit...
CVE-2021-32712
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
CVE-2021-32713
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
CVE-2021-32710
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below 6.3.5.2. We recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview. For older versions o...