When Mitigations Have Their Own Weaknesses
In today’s software development, there is constant pressure to deploy new features quickly. However, new features require careful testing to ensure that they work, don’t introduce new problems, and are resilient to manipulation by an adversary. Let’s look at an interesting case from last year where the confluence of two CWEs led to a vulnerability, CVE-2020–6109 (i.e. Talos Vulnerability Report), that no longer exists in more recent versions of Zoom.
A Closer Look at the Challenge
This vulnerability starts with attempting to exploit CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’). Someone can send you a link to an animated gif during a Zoom meeting and have the gif display in your chat window. The way that this is implemented, Zoom sends you the location of the file to download from a URL and a filename in which to save it. If one does not prevent the name of the file from consisting of the “..” sequence (the parent directory), another user can send you a link to a file and dictate where your Zoom client will download it without restriction. Zoom had a mitigation for this, but unfortunately, there was a weakness in their mitigation. For information and guidance on the execution of these malicious actions and their mitigations, refer to CAPEC-139: Relative Path Traversal.
The Vulnerable Mitigation
Zoom appended the characters “_BigPic.gif” to the file save name. This was to prevent a user from sending an executable or any other file except for a .gif, as mentioned in CAPEC-635: Alternative Execution Due to Deceptive Filenames. This mitigates a compromise leveraging CWE-22 as it would prevent the overwriting of executables or configuration files and facilitate adversaries’ intended, nefarious outcome.
Unfortunately, this mitigation contained CWE-1287: Improper Validation of Specified Type of Input. The Zoom client assumed that it was processing a .gif file because of the file extension, treating it as safe. However, if an adversary completed their filename with “a:”, NTFS (a Windows file-system) forces the appended string of “_BigPic.gif” as an alternative data stream. Alternative data streams are a way of attaching another file to a file where most programs, and the Windows system simply ignores file extensions when saving. This introduces CWE-69: Improper Handling of Windows ::DATA Alternate Data Stream.
By combining these two CWEs, adversaries were permitted to overwrite any executable or configuration file anywhere the user has access, such as CAPEC-240: Resource Injection.
Prevent Future Issues by Testing Across Multiple Weakness Types
Zoom did a great job of fixing this vulnerability quickly, and due to the fact that the software is auto-updated, the changes rolled out to users seamlessly. To prevent this in the future, however, all vendors should test across multiple possible weakness types. Identifying and mitigating one weakness that a new feature introduces does not necessarily mean the feature is ready for production.
As this Zoom example shows, it is possible that the mitigation for one weakness can introduce another weakness, effectively bypassing the mitigation.
