{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/macos-malware-removal-tool/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Zoom Client for Mac","macOS Malware Removal Tool"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","macos","zoom"],"_cs_type":"threat","_cs_vendors":["Zoom","Apple"],"content_html":"\u003cp\u003eThe Zoom macOS client, specifically version 4.6.8 (19178.0323) and earlier, contains a local privilege escalation vulnerability. This vulnerability stems from the insecure use of the deprecated AuthorizationExecuteWithPrivileges API. The Zoom installer copies a bash script named \u003ccode\u003erunwithroot\u003c/code\u003e to a user-writable temporary directory. A local, unprivileged attacker can subvert this script before it is executed as root, thereby escalating their privileges. The vulnerability requires a local foothold on the macOS system and relies on the installer or updater being executed. While Zoom has faced other security and privacy concerns, this particular flaw allows for a complete takeover of the system by a local attacker. This privilege escalation vulnerability poses a significant risk, particularly in environments where multiple users share a single macOS system or where malware may already have a limited foothold. Zoom patched this in version 4.6.9 (19273.0402).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the macOS system via malware or other means.\u003c/li\u003e\n\u003cli\u003eThe Zoom installer package (Zoom.pkg) is executed, either by the user or automatically through an update.\u003c/li\u003e\n\u003cli\u003eThe macOS Installer copies the \u003ccode\u003erunwithroot\u003c/code\u003e script to a user-writable temporary directory, such as \u003ccode\u003e/private/var/folders/v5/s530008n11dbm2n2pgzxkk700000gp/T/com.apple.install.v43Mcm4r/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the temporary directory and modifies the \u003ccode\u003erunwithroot\u003c/code\u003e script with malicious commands.\u003c/li\u003e\n\u003cli\u003eThe installer invokes the AuthorizationExecuteWithPrivileges API, prompting the user for administrator credentials if they are not already an administrator.\u003c/li\u003e\n\u003cli\u003eThe system executes \u003ccode\u003e/usr/libexec/security_authtrampoline\u003c/code\u003e with the \u003ccode\u003erunwithroot\u003c/code\u003e script as an argument.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erunwithroot\u003c/code\u003e script, now containing malicious commands, executes with root privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves root-level access on the system, allowing them to perform any action they desire, such as installing malware, stealing data, or compromising other users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a local attacker to gain complete control over the affected macOS system. The attacker can install persistent backdoors, steal sensitive data, or compromise other user accounts on the system. While the report does not specify the number of victims, the widespread use of Zoom makes this a high-impact vulnerability. Sectors targeted could include any organization using Zoom on macOS, potentially leading to significant data breaches or system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Zoom to version 4.6.9 (19273.0402) or later to patch the privilege escalation vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Modification of Zoom runwithroot Script\u003c/code\u003e to detect attempts to modify the vulnerable script.\u003c/li\u003e\n\u003cli\u003eMonitor for the execution of \u003ccode\u003esecurity_authtrampoline\u003c/code\u003e with arguments pointing to user-writable directories, as indicated in the analysis of the AuthorizationExecuteWithPrivileges API usage.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring to detect the execution of scripts or binaries from temporary directories, which can indicate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eConsider disabling or restricting the use of the AuthorizationExecuteWithPrivileges API where possible, as recommended by Apple.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-zoom-macos-privesc/","summary":"Zoom's macOS client contains a local privilege escalation vulnerability that allows an unprivileged attacker to gain root privileges by subverting the runwithroot script, due to the insecure use of the deprecated AuthorizationExecuteWithPrivileges API.","title":"Zoom macOS Client Privilege Escalation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-zoom-macos-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — MacOS Malware Removal Tool","version":"https://jsonfeed.org/version/1.1"}