Zoom SQL INJECTION on client side
Zoom is a popular app used by almost everyone during the lockdown especially in India. This will explain how a hacker was able to create malicious link to allow him to turn on your webcam or phone’s camera.
The attacker tried various ways to understand the application but failed, later he took a look into the executable file of zoom and found something interesting.
Yes, so sql query are working but this looks incomplete right? Fortunately this is version of SQLite version 3.27.2. as mentioned in binary. This was open source so hacker was able to read the contents and understand where it existed in the source code. He finds a function called “sqlite3LockAndPrepare”.
As you might have guessed thisprepares sql statements and executes them BINGO!
Not really since company like zoom has protections. we simply cannot:zoommtg://malicious’ OR 1-1–
As it turns out it was impossible to perform sqli as zoom added ‘ mark with every entry thus we simply cannot comment the parameter.
The hacker after sometime thought of all attacks but nothing worked. He then tried xC2 which is UTF-8 notation to execute next byte, since it was closing everything with quotation, the xC2 got closed too but then the browser executed it meaning that anything after that will be executed thus payload was xC2’ the ‘ would be executed and then the sql injection would be performed
Now, the attacker could use CSRF to send zoom link to victim and use this to modify the settings of zoom on client side and thus turning the camera on without notification also i think he could chain this to control the victim PC but thats just my opinion.
Keegan Ryan was awarded $2000 by zoom for this critical issue. Keep following the technews for daily updates on security!
Next read how windows 11 is a scam: Windows 11 exposed !