CVE-2022-28749 - Breaking Into Zoom On-Premise Meetings from the Waiting Room

Zoom is one of the world’s most popular video conferencing platforms, and many businesses use their on-premise offerings for greater data control. But a critical flaw—CVE-2022-28749—exists in their Meeting Connector MMR (Multipoint Meeting Connector), potentially exposing private meetings to gatecrashers. Let’s break down what this vulnerability is, how it works, some exploit details, and what you need to do.

What Is CVE-2022-28749?

CVE-2022-28749 was disclosed in 2022, affecting Zoom On-Premise Meeting Connector MMR versions prior to 4.8.113.20220526.

Normally, when someone tries to join a Zoom meeting, they may land in a “waiting room.” Only the host can admit them. But, because of a bug in the permissions validation within vulnerable MMR versions, an attacker in the waiting room can bypass the host’s approval and enter the meeting directly. No interaction from the host is required.

In plain language: People you didn’t want in your meeting can show up anyway—if your Zoom is affected.

Technical Roots of the Issue

The Zoom On-Premise Meeting Connector relies on MMRs to manage meetings happening on your own servers. When an attendee is placed in the waiting room, the platform should check the host’s permission before letting them proceed. Here, the MMR failed to check the attendee's permissions correctly.

That means a user could send a specially-crafted request to the MMR, tricking it into treating them as an admitted participant.

Attacker joins a Zoom meeting and lands in the waiting room.

2. Attacker crafts a request or manipulates their Zoom client to bypass the waiting room restrictions.
3. Vulnerable MMR incorrectly grants access, admitting them to the meeting without the host’s consent.

Code Snippet Example

While the specific exploit code hasn’t been made fully public for obvious reasons, the general idea is this: the client (attacker) sends a “join” request, potentially with modified session tokens or identifiers not properly validated by the old MMR.

Here’s a pseudo-code sketch to illustrate

import requests

# Spoofing request to on-prem MMR to join meeting directly
meeting_id = "123456789"
waiting_room_token = "original_token_from_waiting_room"

url = f"https://your-mmr-server/meeting/join";
data = {
    "meeting_id": meeting_id,
    "token": waiting_room_token,
    "bypass_waiting_room": True   # The bug may ignore this!
}

response = requests.post(url, json=data)

if response.status_code == 200:
    print("Joined meeting (possibly bypassed waiting room)!")
else:
    print("Blocked from joining.")

Note: This is a simplified illustration; real exploits might manipulate Zoom client traffic or use intercepted tokens.

Exploit Details

Researchers discovered that, because the permissions weren’t properly checked, simple modifications to requests while in the waiting room allowed entry:

- Once you’re in the waiting room, you can replay or modify the join request to exploit the missing check.

- NVD Entry: CVE-2022-28749 at NVD
- Zoom Security Bulletin: Zoom Security Announcements
- Packet Storm Advisory: Packet Storm: CVE-2022-28749

Key Takeaways

- CVE-2022-28749 lets a user in the Zoom waiting room join an on-premise meeting without host approval.

A simple, free update solves the problem.

If you run on-premise Zoom, patch now or have your meetings potentially open to anyone who can reach your waiting room!

For more technical breakdowns, subscribe or follow our blog. Stay secure!

Timeline

Published on: 06/15/2022 21:15:00 UTC
Last modified on: 06/27/2022 17:50:00 UTC