Zoom Vulnerability Archives

Zoom Vulnerably Remediation – 14 Total variants Index of MRT Links & Info

MrMacintosh.com - Zoom Vulnerably Remediation, 14 Total variants & RCE found. Index of Zoom & MRT Links & Info — Zoom Vulnerably Remediation, 14 Total variants & RCE found. Index of Zoom & MRT Links & Info

14 total Zoom Vulnerably / Exploit variants and a RCE Remote Code Execution found!

Just when you had enough of the first Zoom Vulnerably, Apple released MRTConfigData 1.46 (now 1.47!) to deal with 14 total variants and a Remote Code Execution (RCE) . I created this Index of MRT Links & Info to help you get through the confusion.

Jonathan Leitschuh reported the first vulnerably in Zoom. I wrote an article talking about this and how to remediate the RCE and Conferencing Video Bug here.

UPDATED: 07/18/19 – MRTConfigData 1.47 released and 3 more Zoom variants! Brings the total to 14.

MRT Malware Removal Tool Index

1. List of zoom opener variants and MRT versions
2. MRTConfigData Compatible OS versions.
3. Software Update & MRT Commands
4. Malware Removal Tool Documentation
5. Caveats of installing MRTConfigData and how the MRT scan works differently in 10.14 vs 10.13
6. Other ways to install MRT updates
7. Digging into the MRT Binary
8. More questions, Problems and Errors
9. Links to scripts and other MacAdmin articles
10. Disclaimer

1. List zoom opener variants and MRT Versions

How do we even know which variants are included in MRTConfigData v1.45 and v1.46? (Now 1.47!) The only way to find out is to dig into the MRT Binary Code. I talk about how I found the new variants a little more in section 7 below.

We now have 14 new Zoom Opener variants to worry about. Each one is a hidden folder listed in your user folder!

MRT Versions

1. MRTConfigData v1.45 – 7/10/19
2. MRTConfigData v1.46 – 7/16/19
3. MRTCOnfigData v1.47 -7/18/19

Zoom Variants

1. /.zoomus – 1.45
2. /.ringcentralopener – 1.46
3. /.telusmeetingsopener– 1.46
4. /.btcloudphonemeetingsopener– 1.46
5. /.officesuitehdmeetingopener– 1.46
6. /.attvideomeetingsopener– 1.46
7. /.bizconfopener– 1.46
8. /.huihuiopener – 1.46
9. /.umeetingopener– 1.46
10./.zhumuopener– 1.46
11./.zoomcnopener– 1.46
12./.earthlinkmeetingroomopener – 1.47
13./.videoconferenciatelmexopener – 1.47
14./.accessionmeetingopener – 1.47

2. MRTConfigData Compatible OS versions.

You can run the MRTConfigData update on the following macOS versions.

Mojave 10.14
High Sierra 10.13
Sierra 10.12
El Capitan 10.11 (Note: You can only use softwareupdate -ia --background as the --include-config-data option was new in Sierra 10.12)

3. Software Update & MRT Commands

Let’s get right to it, here are the commands again if you want to remediate right now!

1. Check for config data updates: /usr/sbin/softwareupdate -l --include-config-data
2. Manual Install of MRT v1.47: /usr/sbin/softwareupdate -i MRTConfigData_10_14-1.47 --include-config-data
3. Verify Version of MRT: /usr/bin/defaults read /System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString
4. Force Run MRT.app in Agent mode: /System/Library/CoreServices/MRT.app/Contents/MacOS/MRT -a

If MRT finds Zoom the manual scan will look like this.

MrMacintosh.com - A manual MRT -a agent scan found ZoomOpener and deleted it. — A manual MRT -a agent scan found ZoomOpener and deleted it.

4. Malware Removal Tool Documentation

Apple has not documented how the MRT Scan works. The MRT Tool is called out with just a few lines in the macOS Security Overview for IT.

MrMacintosh.com - macOS Security Overview for IT 2018 — macOS Security Overview for IT 2018

Apple refers to MRT updates as “Silent or Quiet Update” when referenced in the media. The MRT Binary doesn’t have a MAN page or a -help section. Targeted malware variants are not documented. Sounds like a job for #MacAdmins!!!

5. Caveats of installing MRTConfigData and how the MRT scan works differently in 10.14 vs 10.13

You need to know about a few caveats with this process. I have tested the installation and scan multiple times and found differences in each OS! Let’s start with Mojave 10.14 then move to High Sierra 10.13.

MRT in Mojave 10.14.5

When you manually install the MRTConfigData update the MRT.app will automatically run a MRT Scan!
You only have to worry about other users who may have installed any of the opener variants as the MRT Scan only runs for the logged in user only.
A restart and Logout/Login will kick off a manual MRT Scan.
You can run a script that Rich wrote that will remove zoom from all logged in users.
github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/fix_zoom_vulnerability

MRT in High Sierra 10.13.6

A reboot will kick of a MRT Scan
A logout and login will kick off an MRT Scan
When you manually install the MRTConfigData update the MRT Scan will NOT run automatically!!!
You will need to run the MRT.app agent scan manually to remove any zoom variants.

TLDR: Installing MRTConfigData in 10.14 automatically kicks off the MRT.app scan, while in 10.13 the MRT scan does NOT run automatically.

H/T to @howardnoakley and @alvarnell for pointing out that after installing MRTConfigData the MRT Scan kicks off automatically. I did not know it at the time but they were testing in 10.14. All my testing was on 10.13, so thats why I was getting different results!

6. Other ways to install MRT updates

If you are on Mojave 10.14.5 you will automatically get the MRTConfigData update as long as you have the following SoftwareUpdate Settings set to ON.

MrMacintosh.com - Software Update - Required settings to get "System Data Files and Security Updates" — Software Update – Required settings to get “System Data Files and Security Updates”

As long as you have these settings set to ON your Mac should automatically check in for new updates and install them every 24 hours.

For the com.appleSoftwareUpdate.plist file you need the following settings set to ON.

/Library/Preferences/com.appleSoftwareUpdate.plist

AutomaticCheckEnabled = 1
AutomaticDownload = 1
ConfigDataInstall = 1
CriticalUpdateInstall = 1

If you want to install all background updates now without waiting you can issue the following command.

sudo softwareupdate --background --include-config – Only background updates

sudo softwareupdate -ia --include-config-data – Background updates AND OS level Updates

NOTE! The -ia option will install ALL available software updates including Combo, Safari and Security Updates.

The above commands will only install Xprotect updates if you have all the automatic software update settings set to ON.

7. Digging into the MRT Binary

Apple does not list the targeted malware variants anywhere, so the only way to find them is to dig into the MRT Binary Code. You cant just open the code inside MRT as it has thousands of lines of code. You have to first compare the current version to the old one. This will give you the first clues, as each piece of malware is given a code. In this case it was MACOS.354c063.

Now that we have the Malware Family ID we can then search the MRT Binary using a disassembler application. A disassembler like Hopper is used to view the actual code of the new MRT binary.

MrMacintosh.com - The actual code calling out /.zoomus/ZoomOpener.app — BINGO!!! The actual code calling out /.zoomus/ZoomOpener.app

8. More questions, Problems and Errors

We still have questions about how the MRT works especially the MRT -d or daemon mode. I have even reached out to Apple for an answer on this.

Howard Oakley wrote a great article looking into this.

eclecticlight.co/2019/07/13/what-happened-when-mrt-was-updated-and-what-mrt-does/

This is the best information we have so far.

Problems and Errors

Trying to run a manual update and scan can cause some problems in certain situations.

1. Running /usr/sbin/softwareupdate -i MRTConfigData_10_14-1.47 --include-config-data shows

Result of command:
MRTConfigData_10_14-1.46: No such update
No updates are available.

If this happens run /usr/sbin/softwareupdate -l --include-config-data first.

2. Running the MRT Scan from a script shows

MRT Scan failedToReceiveProfileList

You will need to run MRT in 10.14 as the logged in user.

MrMacintosh.com - Running MRT in agent mode as the logged in user. — Running MRT in agent mode as the logged in user.

9. Links to scripts and other MacAdmin articles

CVE-Numbers
DOS Vulnerability — Fixed in Client version 4.4.2 — CVE-2019–13449
Information Disclosure (Webcam) — Zoom —CVE-2019–13450
The Zoom Client before 4.4.53932.0709 on macOS allows RCE remote code execution – CVE-2019-13567

Apple.com – About background updates in macOS Mojave Your Mac automatically installs background updates for the security configuration and data files used by macOS. – support.apple.com/en-us/HT207005
Apple.com – macOS Security Overview for IT – 2018 – apple.com/business/resources/docs/macOS_Security_Overview.pdf

Jonathan Leitschuh – twitter.com/jlleitschuh – Medium.com – A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission. The flaw potentially exposes up to 750,000 companies around the world that use Zoom to conduct day-to-day business. – medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5

Howard Oakley – twitter.com/howardnoakley – eclecticlight.co – Howard really dug into this when it first came out writing multiple articles on the zoom exploit. He also has multiple applications that he wrote that will help you, including one called SilentKnight that will tell you if all your XProtect definitions are up to date.
eclecticlight.co/2019/07/09/zoom-videoconferencing-could-expose-your-mac/
eclecticlight.co/2019/07/10/apple-has-pushed-an-update-to-mrt-to-remove-zooms-hidden-web-server/
eclecticlight.co/2019/07/13/what-happened-when-mrt-was-updated-and-what-mrt-does/
eclecticlight.co/2019/07/14/last-week-on-my-mac-does-anyone-here-know-about-mrt/
eclecticlight.co/2019/07/18/how-to-check-that-your-mac-is-free-of-zoom-and-similar-web-servers/

Rich Trouton – twitter.com/rtrouton – derflounder.wordpress.com – Rich has written the best script yet to remediate the Zoom venerability on all user accounts.
derflounder.wordpress.com/2019/07/10/zoom-vulnerability-and-remediation-script/
derflounder.wordpress.com/2019/07/13/zhumu-vulnerability-and-remediation/
derflounder.wordpress.com/2019/07/16/additional-zoom-remediation-from-apple-via-mrt/
github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/fix_zoom_vulnerability

Karan Lyons – twitter.com/karanlyons – Github
Fix for Zoom, RingCentral, Zhumu (and possibly more) RCE vulnerabilities – gist.github.com/karanlyons/1fde1c63bd7bb809b04323be3f519f7e

Assetnote.io – Deep dive on how the RCE and Zoom exploit works. blog.assetnote.io/bug-bounty/2019/07/17/rce-on-zoom/

Jamf Nation Discussion Forum – Zoom Exploit – jamf.com/jamf-nation/discussions/32561/zoom-exploit

My article on the Zoom Exploit – mrmacintosh.com/how-to-remediate-the-zoom-vulnerability-with-apple-malware-removal-tool

TheVerge.com – theverge.com/2019/7/8/20687014/zoom-security-flaw-video-conference-websites-hijack-mac-cameras

Blue Jeans Response – support.bluejeans.com/s/article/BlueJeans-Detector-Service

Macadmins.slack.com – You can also talk about the Zoom Vulnerability and join the #zoom channel or #security in MacAdmins Slack.

10. Disclaimer

I tried to test and research as much as possible to save you time. I hope this Index of MRT Links & Info helps you, but since this issue revolves around security please double check and test before you deploy. After deployment check again that the files inside the opener are in fact deleted.

Index of MRT Links & Info

https://twitter.com/howardnoakley?lang=en

How to Remediate the Zoom Vulnerability with Apple Malware Removal Tool

MrMacintosh.com - Voom Vulnerability How to remediate with Apple's Malware Removal Tool or MRTConfigData — Remediate the Voom Vulnerability with Apple’s Malware Removal Tool or MRTConfigData v1.45

Zoom Vulnerability / Exploit and RCE

UPDATE: 07/18/19 – I put together a new blog update that includes 14 total Zoom Variants, New MRTConfigData 1.47 along with new information, fixes and links! – mrmacintosh.com/zoom-vulnerably-remediation-14-total-variants-index-of-mrt-links-info/

Yup, the Zoom Vulnerability has been THE talk of the MacAdmins community for the past 2 days. This stuff moves very fast and you have to keep an eye out! We will be The vulnerability was first released by Jonathan Leitschuh. This is not just Zoom but also Ringcentral and possibly BlueJeans. A statement Link from BlueJeans is below.

How do I remediate CVE-2019-13450?

Below are three options you can look through.

Option #1 Install Updated Zoom.app
Option #2 Option #2 Apple MRT – Malware Removal Tool
Option #3 Manual Removal + Scripts and links

Option #1 Install Updated Zoom.app 4.4.53932.0709

Install the new version of Zoom zoom.us/support/download

This version should remove everything including the WebServer installed to ~/.zoomus

From blog.zoom.us/wordpress/2019/07/10/security-update-and-our-ongoing-efforts/

Tuesday, July 9
Zoom issued an update to our Mac app with the following:
Removed the local web server via a prompted update
Allowed users to manually uninstall Zoom. This new option to the Zoom menu bar allowed users to manually uninstall the Zoom client, including the local web server. A new menu option says, “Uninstall Zoom.” By clicking that button, Zoom’s app and web server are removed from the user’s device along with the user’s saved settings
Wednesday, July 10
Apple issued an update to ensure that the Zoom web server is removed from all Macs, even if the user did not update their Zoom app or deleted it before we issued our July 9 patch. Zoom worked with Apple to test this update, which requires no user interaction.
Weekend of July 13
We have a planned release for the weekend of July 13 that will address video on by default. With this release, first-time users who select “Always turn off my video” will automatically have their video preference saved. The selection will automatically be applied to the user’s Zoom client settings and their video will be OFF by default for all future meetings. (Returning users can update their video preferences and make video OFF by default at any time through the Zoom client settings.)

Option #2 Apple MRT – Malware Removal Tool

Apple in a very quick move released MRTConfigDat 1.45 at 5PM CST yesterday. According to TechCrunch

techcrunch.com/2019/07/10/apple-silent-update-zoom-app/

The Cupertino, Calif.-based tech giant told TechCrunch that the update — now released — removes the hidden web server, which Zoom quietly installed on users’ Macs when they installed the app.
Apple said the update does not require any user interaction and is deployed automatically.
TechCrunch

MrMacintosh.com - MRTConfigData v1.45 — MRTConfigData v1.45

Apple’s Malware Removal Tool will update on all 10.11, 10.12, 10.13 & 10.14 within 24 Hours

As long as you have sofwareupdate set to Automatically Check for Updates, Download New updates in the background & Install System Data Files and Security Updates. NOTE: 10.11 does not have the include-config-data option so you have to run sudo softwareupdate -ia -background

I need the update now!

Got you covered! You can use softwareupdate to manually install MRTConfigData 1.45. You can run this to list all available Xprotect Updates.

softwareupdate -l --include-config-data

To install the update you can run

softwareupdate -i MRTConfigData_10_14-1.45 --include-config-data

MrMacintosh.com - Manually download MRTConfigData using softwareupdate — Manually download MRTConfigData using softwareupdate

I am not sure yet if just installing the new update actually activates and runs MRT or not. This command works great because it ONLY installs the called out update. If you use softwareupdate -l --include-config-data it will install ALL softwareupdates including combo and Safari ETC.

Verify that you have 1.45

defaults read /System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString

To force MRT to update run

NOTE: If you are trying to run MRT.app remotely over ssh or by using an MDM, it needs to run as the logged in user at least in 10.14. In 10.12 and 10.13 MRT seems to run fine no matter the user. You can use the 2 lines of code below to get the logged in user then run the command as the user. The error you will get in 10.14 will say failedToReceiveProfileList.

MrMacintosh.com - Script to force MRT to run as the logged in user. — How you could run a quick small script as the logged in user.

Manual Command that you can run if you are logged in as the user.

/System/Library/CoreServices/MRT.app/Contents/MacOS/MRT -a

MrMacintosh.com - Manually updating MRT — Manually updating MRT on the fly!

Hat Tip to AndyInCali on MacAdmins Slack for the MRT -a !!!

Option #3 Manual Removal + Scripts and Links

Rich Trouton wrote a great script to manually remove zoom’s WebServer.

NOTE: Keep in mind trashing the app will NOT remove the ~/.zoomus Web Server. You will either need to kill the process and then overwrite the file like in Rich’s Script below or wait for MRT or install the new version which removes the Web Server.

derflounder.wordpress.com/2019/07/10/zoom-vulnerability-and-remediation-script/

You can follow a long thread on Jamf Nation

.jamf.com/jamf-nation/discussions/32561/zoom-exploit

You can also talk about the Zoom Vulnerability and join the #zoom channel in MacAdmins Slack.