CVE-2019-19810: Java RMI Deserialization of Untrusted Data in Zoom Call Recording
Zoom Call Recording 6.3.1 from ZOOM International is vulnerable to Java Deserialization attacks targeting the inbuilt RMI service.
A remote unauthenticated attacker can exploit this vulnerability by sending crafted RMI request to execute arbitrary code on the target host.
Exploitation Techniques:
Because the RMI service was protected by JEP 290, the vulnerability could not be directly exploited using ysoserial.
In order to bypass this security measure, one of 2 techniques can used:
- Direct Object Insertion into Function Arguments
- "Bypassing" Argument Type Safety
Direct Object Insertion into Function Arguments
In order to use this technique, an attacker needs to find at least 1 remote method that accepts an arbitrary object, or variant (Ex. Array of objects, etc.) as argument.
Full description and scripts can be found here
"Bypassing" Argument Type Safety
This technique requires a more complex setup to perform the exploit, but it can be used on any remote method that takes at least 1 argument.
Full description and scripts can be found here
Conclusion
Both the above techniques result in Remote Code Execution if performed correctly.
