Zoom Cloud Meetings Windows Client | Version: 4.6.11 (20559.0413) Memory Heap Inspection Vulnerability

CVSS3.0: AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N                                                                               Severity: 4.0 (Medium)

Overview

The Windows application of the Zoom Cloud Meetings software contains a vulnerability, since e-
mail address and plain text passwords are not removed from memory, it could be exposed to an
attacker using a heap inspection attack that reads the sensitive data using memory dumps or
other methods.

PoC

The attacker must be able to access the computer, and must be able to create memory dumps of
the running processes. When the dump was successfully created, the attacker can simply search for string ‘name=”’, and
the password is being revealed.

On the screenshot below, it’s visible that the application is logged out, but the password is still
available in the memory.

Impact

Total account compromisation is possible if the account has disabled two factor authentication capabilities.

Disclosure Timeline and further notes

  • First attempt to contact developer: 04/14/2020 (Request opened with ID #4302833)
  • Second attempt to contact developer: 05/02/2020 (Request opened with ID #5100257)
  • Third attempt to contact developer: 07/04/2020 (Request opened with ID #6559378)

I still not received any updates on my reports.

I requested a CVE number on

Any updates will posted here.

 

08/10/2020 Update:
In the latest release of the Zoom client, the credentials can be dumped only, while the user is logged in.