Zalo PC has a serious RCE error, you should be careful when receiving attachments
Recently, the CyberJutsu security research team announced three vulnerabilities on the messaging software Zalo PC. The vulnerabilities were named ZAL-01-001, ZAL-01-002 and ZAL-01-003, respectively. Of which, ZAL-01-001 and ZAL-01-002 were assessed as having a low risk level while ZAL-01-003 were considered critical vulnerabilities.
- ZAL-01-001 vulnerability: UI error, too long file name will overflow from the chat frame
- ZAL-01-002 vulnerability: UI error, incorrect file type icon display
- ZAL-01-003 vulnerability: Incorrect blacklist file extension facilitates a RCE attack
With the ZAL-01-003 vulnerability, hackers can send files containing malicious code to victims via private or group messages. When the victim clicks on the file, the file is downloaded and run, and the malicious code is immediately executed.
In the worst case scenario, the hacker can take advantage of this feature to launch a remote code execution (RCE) attack to take control of the victim's computer or deploy other attacks for profit.
To prove it, CyberJutsu has stringed these vulnerabilities together and launched an RCE attack on a hypothetical victim's computer.
Specifically, CyberJutsu hides a VBE file containing a payload reverse shell with the filename long enough to overflow the actual extension out of the chat frame and trick the application into choosing the wrong file type icon by changing the value of the "extension" field.
This file is sent to the victim and it displays as a regular PDF attachment. When the victim clicks on the file, the VBE payload is downloaded and executed immediately. The malware is activated to help CyberJutsu steal information on the victim's computer (the contents of the Notepad file on the screen are created with the purpose of demonstrating how to exploit the vulnerability).
You can watch a demo video of how to exploit CyberJutsu's Zalo PC vulnerabilities here:
CyberJutsu reported these vulnerabilities to Zalo in late July 2020. On August 30, 2020, Zalo responded that the ZAL-01-003 vulnerability coincided with a vulnerability that was discovered by Zalo in March 2020. The other two vulnerabilities were noted by Zalo and fixed.
However, according to CyberJutsu, the way to fix errors of Zalo is not thorough, still leaves dangerous file formats. As of October 23, 2020, Zalo added that they acknowledge CyberJutsu's subsequent contributions and created a temporary patch on August 1, 2020. The complete patch was also released by Zalo on October 1, 2020.
On its security-focused website, Zalo also thanked CyberJutsu for finding and supporting to keep Zalo's products safe. Zalo also gave CyberJutsu gifts.
Currently, CyberJutsu is still working with Zalo to identify and fix a number of other security holes. Due to security terms, these vulnerabilities have not been allowed to disclose yet.
You should read it
- Zalo could not access it again, the entire VNG system collapsed
- Tips for using Zalo are useful for users
- How to use Zalo Web without installing software
- How to insert stickers into videos, images on Zalo
- How to read newspapers on mobile using Zalo Channel
- Experience with 4 exciting new features on Zalo
- How to pin a conversation to the top of the Zalo PC
- How to lock Zalo, set a password for Zalo to secure the message
- Instructions to turn off notifications on Zalo effectively
- Combine shortcuts on the computer version Zalo
- Instructions for sharing messages on Zalo
- Instructions to delete and revoke messages on Zalo
Maybe you are interested
How to send business cards on Zalo, introduce friends to make friends
How to change Zalo ringtone with Zing Mp3 music
How to enable dark mode on Zalo computer, phone
How to change Zalo password on phone when you forget the password
How to log in to Zalo on computer, phone, Zalo Web
How to delete applications that grant access to Zalo