Safe this week: Through the mouse hole, Zoom RCE and defeating Defender


Windows security problems due to unsafe drivers are nothing new, but this one is special. Connect a Razer mouse, tell the installation dialog box that you want to install in a non-standard location, then Shift + right click in the Explorer window. Choose a Powershell and Boom, you now have a SYSTEM shell. It’s not as impressive as an RCE and requires hands-on machine work, but it’s beautiful because of its simplicity.

The problem is compound. First, Windows 10 and 11 will automatically download Razer Synapse and start the installation when a Razer device is connected. Note that not just Razer, any branded app that installs automatically like this may be vulnerable in the same way. The installation process runs as a system, and since it started automatically, no administrator account is required. The second half of the problem is that the installer itself does not take any precautions to prevent a user from starting additional processes. There is no obvious way to prevent Powershell from starting within the FolderPicker class, so an installer running as SYSTEM would have to make every effort to delete permissions to make this a safe process. The real solution is for Microsoft to say no to GUI installers that are bundled with WHQL signed drivers.

Zoom RCE

Researchers from Sector 7, part of Computest, performed an impressive hack on Pwn2Own and obtained an RCE via the Zoom client. The limitation is that the attacker must be accepted as a contact, either manually or by belonging to the same organization. The main vulnerability is CVE-2021-30480, a heap buffer overflow that results from allocating a static buffer for a string generated by a connecting remote client. While the overflow is a very powerful vulnerability, it took some effort to turn it into a full exploit.

To pull it off, the researchers discovered a data leak vulnerability based on URI confusion in image links. An incorrect contact request could be sent with an unusual member picture link. In normal use, the pic_relative_url Field would begin with a leading “/” and specify a picture at the Domain. In the strange contact request they created, they used a relative URL that didn’t start with that leading slash, but instead started with a partial domain name, such as When the Zoom client tried to download the remote image, it made the request from, a domain that an attacker can control. This URL confusion bug could be combined with the overflow mentioned above to lose data on the current memory state of the victim computer.

The last vulnerability used was a seemingly insignificant one, the maximum size limit of messages could be circumvented by sending a GIF from GIPHY. In addition, sending multiple copies did not trigger multiple downloads, but resulted in multiple copies being made in memory. Moving these copies to memory allowed the researchers to set up their chain of exploits, with the full attack reaching a success rate of around 50% when limited to the competition’s 5-minute restriction.

Update 08/27/21: A company spokesperson reached out to Hackaday on the matter with the following statement:

We take security very seriously and thank Computest for their work in helping us improve the security of our platform through this responsible disclosure. We’d also like to thank the Zero Day Initiative for enabling Zoom to sponsor and participate in the Pwn2Own Vancouver 2021 competition that led to the discovery of these issues. The issues were addressed with a server-side fix and a client-side fix in Zoom version 5.6.3, released April 19, 2021.

Second opinion on Pegasus

Citizen Lab has published an outside review of Amnesty International’s work on the NSO Group’s Pegasus spyware program. Their investigation found that the technical aspects of Amnesty’s findings were correct – the infection analysis, IOCs and infrastructure identified all appear to be correct. The biggest question the Amnesty International report raises remains completely unanswered: the list of targets. The source and veracity of this document are still completely unconfirmed.

Long-term Windows Defender bypass

The research group APTortellini has published their guide on how to defeat Windows Defender. A few commentators on this particular article scoffed at the first step and rose to SYSTEM. You might even be wondering, what is the use if you’ve already compromised a machine to the point where it is root? Access to the system is just the beginning of an actual malicious campaign. This investigation is about how to unblock Windows Defender without actually disabling it.

The first thing you need to know is that modern Windows systems have inherited some elements of Unix with the Windows legacy stuff screwed over them. To make this clear, note that a Windows 10 C: drive is actually under DeviceHarddiskVolumeX, with a series of symbolic links to make the C: notation work. One of those links is SystemRootthat defaults to DeviceBootDeviceWindows. This link cannot be changed for SYSTEM either, but it can be deleted and recreated. This particular path happens to be part of Windows Defender to load its back-end driver. WdFilter.sys.

The technique essentially consists of reassignment SystemRoot to a fake Windows directory and then restart the Windows Defender service, which will reload the driver from the fake location. The replacement driver still has to be signed, but that still leaves a lot of leeway. They used the RWEverything driver in the write-up. Recreate the original symlink and you have a placebo defender that looks like it is working properly with an arbitrary but signed driver running instead.

Recovered $ 610 million

Poly Network is a protocol for decentralized finance. I’m not going to go into the weeds and describe what that means exactly as this is a safety column, not this week on blockchain. Just know that it is a blockchain platform that uses smart contracts to accomplish something similar to a bank or an investment firm. Poly Network had an issue earlier this month that got just over $ 600 million out of its control. This feat appears to have been the result of a flaw in the smart contracts themselves. Further technical details can be found under SlowMist.

The new message is this [Mr. White Hat] actually returned control of all stolen funds to the Poly Network. The whole story is bizarre and reminiscent of the attack on The DAO many years ago.

More suspicious activity in Iran

On the heels of a hacktivist group targeting Iranian infrastructure, we have the story of another group that broke into the security camera systems of Evin Prison in Tehran and released the video evidence detailing the treatment of prisoners. Part of the dump is a surveillance camera showing the displays in the main security room. It is really a case of real art that imitates art.

This attack was alleged by a group called “The Justice of Ali”. At some point the question must be asked whether these attacks are really grassroots efforts by independent hackers. One can easily imagine that these are just fronts that are all run by Western intelligence agencies.

T-Mobile update

Do you remember the T-Mobile violation? [John Binns] has claimed credit for this and appears to have produced sufficient evidence to convince the Wall Street Journal of the claim. He claims he found an unsecured router while scanning the internet and used that stop to access an internal data center network. This likely means that he was looking for one of the trivial RCEs that we have covered over the past few months and found a gateway that has not yet been updated. His story reads like a bad spy novel, about half of which is believable. It is still unclear whether he actually sold the data to someone.


About Author

Leave A Reply