Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Disclosures/CVE-2019-19810-Java RMI Deserialization-ZoomCallRecording/
Disclosures/CVE-2019-19810-Java RMI Deserialization-ZoomCallRecording/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 

CVE-2019-19810: Java RMI Deserialization of Untrusted Data in Zoom Call Recording

Zoom Call Recording 6.3.1 from ZOOM International is vulnerable to Java Deserialization attacks targeting the inbuilt RMI service.
A remote unauthenticated attacker can exploit this vulnerability by sending crafted RMI request to execute arbitrary code on the target host.

Exploitation Techniques:

Because the RMI service was protected by JEP 290, the vulnerability could not be directly exploited using ysoserial.
In order to bypass this security measure, one of 2 techniques can used:

  • Direct Object Insertion into Function Arguments
  • "Bypassing" Argument Type Safety

Direct Object Insertion into Function Arguments

In order to use this technique, an attacker needs to find at least 1 remote method that accepts an arbitrary object, or variant (Ex. Array of objects, etc.) as argument.
Full description and scripts can be found here

"Bypassing" Argument Type Safety

This technique requires a more complex setup to perform the exploit, but it can be used on any remote method that takes at least 1 argument.
Full description and scripts can be found here

Conclusion

Both the above techniques result in Remote Code Execution if performed correctly.

Additional Resources:

Attacking Java RMI Services After JEP 290