Zalo PC has a serious RCE error, you should be careful when receiving attachments

Recently, the CyberJutsu security research team announced three vulnerabilities on the messaging software Zalo PC. The vulnerabilities were named ZAL-01-001, ZAL-01-002 and ZAL-01-003, respectively. Of which, ZAL-01-001 and ZAL-01-002 were assessed as having a low risk level while ZAL-01-003 were considered critical vulnerabilities.

1. ZAL-01-001 vulnerability: UI error, too long file name will overflow from the chat frame
2. ZAL-01-002 vulnerability: UI error, incorrect file type icon display
3. ZAL-01-003 vulnerability: Incorrect blacklist file extension facilitates a RCE attack

With the ZAL-01-003 vulnerability, hackers can send files containing malicious code to victims via private or group messages. When the victim clicks on the file, the file is downloaded and run, and the malicious code is immediately executed.

In the worst case scenario, the hacker can take advantage of this feature to launch a remote code execution (RCE) attack to take control of the victim's computer or deploy other attacks for profit.

To prove it, CyberJutsu has stringed these vulnerabilities together and launched an RCE attack on a hypothetical victim's computer.

Specifically, CyberJutsu hides a VBE file containing a payload reverse shell with the filename long enough to overflow the actual extension out of the chat frame and trick the application into choosing the wrong file type icon by changing the value of the "extension" field.

This file is sent to the victim and it displays as a regular PDF attachment. When the victim clicks on the file, the VBE payload is downloaded and executed immediately. The malware is activated to help CyberJutsu steal information on the victim's computer (the contents of the Notepad file on the screen are created with the purpose of demonstrating how to exploit the vulnerability).

You can watch a demo video of how to exploit CyberJutsu's Zalo PC vulnerabilities here:

CyberJutsu reported these vulnerabilities to Zalo in late July 2020. On August 30, 2020, Zalo responded that the ZAL-01-003 vulnerability coincided with a vulnerability that was discovered by Zalo in March 2020. The other two vulnerabilities were noted by Zalo and fixed.

However, according to CyberJutsu, the way to fix errors of Zalo is not thorough, still leaves dangerous file formats. As of October 23, 2020, Zalo added that they acknowledge CyberJutsu's subsequent contributions and created a temporary patch on August 1, 2020. The complete patch was also released by Zalo on October 1, 2020.

On its security-focused website, Zalo also thanked CyberJutsu for finding and supporting to keep Zalo's products safe. Zalo also gave CyberJutsu gifts.

Currently, CyberJutsu is still working with Zalo to identify and fix a number of other security holes. Due to security terms, these vulnerabilities have not been allowed to disclose yet.

Samuel Daniel

Update 23 October 2020