Zoom RCE from Pwn2Own 2021

FTA: &quot;Using a combination of proxies, modified DNS records, sslsplit and a new CA certificate installed in Windows, we were able to inspect all traffic, including HTTP and XMPP, in our test environment.&quot;<p>I have setup wireshark for troubleshooting. That&#x27;s about it. What&#x27;s the role of proxies, modified DNS records etc. in this setup? How can I duplicate this?<p>Thanks.

It blows my mind that there are people who manage to find exploit chains like these, amazing job!

This presumably doesn&#x27;t apply to the web app, which is the only way I&#x27;ve used Zoom.

Are there any cases or instances of secrets leaking from a zoom meeting through hacking ? Specifically from audio and video, not chat ?

&gt; This meant that by sending a ResponseKey message with an AES-encrypted &lt;encoded&gt; element of more than 1024 bytes, it was possible to overflow a heap buffer.<p>This is what I was looking for. Fundamental bug was an overflow of statically-allocated buffer leading to heap corruption.<p>We gotta get off memory-unsafe languages.

This is why I only run Zoom in Firejail.

Although they don’t make it easy to find the link, you can use Zoom in a browser which is the best way of limiting the damage it can cause if you <i>have</i> to use it in the first place.

Anyone know what logging&#x2F;printing library exploit.py is using in that first embedded video?

No one should be installing native apps for this now that we have WebRTC.