CVE-2022-36924: Local Privilege Escalation Vulnerability in Zoom Rooms Installer for Windows Prior to 5.12.6

The Zoom Rooms Installer for Windows prior to version 5.12.6 suffers from a local privilege escalation vulnerability. This vulnerability allows a local low-privileged user to escalate their privileges to the SYSTEM user during the installation process. This post will provide extensive details on this vulnerability, its exploit, and its implications.

Vulnerability Details

CVE Identifier: CVE-2022-36924
Affected Software: Zoom Rooms Installer for Windows
Affected Versions: All versions prior to 5.12.6
Attack Vector: Local
Impact: Privilege Escalation
Severity: High
CVE Status: Assigned
Original Reference: [Link to Original Reference]

Explanation

During the installation of Zoom Rooms for Windows, a low-privileged user can exploit this vulnerability to gain SYSTEM user privileges. The vulnerability exists due to insecure file permissions set during the installation process. It grants write permissions to low-privileged users on critical folders and files, which allows the attacker to overwrite or modify these files, leading to privilege escalation.

Code Snippet

Here is an example code snippet that demonstrates the insecure file permissions set during the installation process:

// Installation directory
%PROGRAMFILES%\ZoomRooms

// Example of insecure file permissions
icacls "%PROGRAMFILES%\ZoomRooms" /grant *S-1-1-:F

In this example, the installer grants full control (F) to all users (*S-1-1-) on the ZoomRooms installation directory (%PROGRAMFILES%\ZoomRooms). This insecure configuration enables low-privileged users to manipulate files, execute code, or interfere with the installation process, thus escalating their privileges.

Identify the insecure file permissions on the critical Zoom Rooms installation directory

icacls "%PROGRAMFILES%\ZoomRooms"

2. Locate an executable or script file with write permissions that is executed by the installer during the installation process. An example of such a file could be ZoomRooms_Setup.exe.

3. Replace the identified file with a custom file containing malicious code, which will then be executed by the installer process with SYSTEM user privileges:

copy /y "malicious_payload.exe" "%PROGRAMFILES%\ZoomRooms\ZoomRooms_Setup.exe"

4. When the Zoom Rooms Installer executes the modified file, the attacker's code will be executed with elevated SYSTEM user privileges.

To mitigate this vulnerability, users should follow these steps

1. Update to the latest Zoom Rooms Installer (version 5.12.6 or later), available at the official Zoom download page: Zoom Download Page

2. Disable write permissions for low-privileged users on the Zoom Rooms installation directory by running the following command:

icacls "%PROGRAMFILES%\ZoomRooms" /remove *S-1-1-

Conclusion

Local privilege escalation vulnerabilities, like CVE-2022-36924, present significant risks to organizations that use Zoom Rooms Installer for Windows. Users should be aware of these risks and take appropriate steps to mitigate them by updating their software and disabling insecure file permissions. Following best practices for software installation, and promptly applying security updates and patches, will help to minimize the likelihood and impact of similar vulnerabilities in the future.

Timeline

Published on: 11/17/2022 23:15:00 UTC
Last modified on: 11/22/2022 00:41:00 UTC