Zoom has once again made it to the news owing to another privacy issue. As discovered, Zoom client on Windows exposes users’ Windows credentials to potential attackers via UNC links.
Zoom Client Exposes Windows Credentials
Bleeping Computer has recently revealed how Zoom client on Windows exposes credentials to an attacker.
As revealed, the problem exists because of messages with URLs or regular paths in the app convert into clickable links automatically in the Zoom app. While that helps a user in opening a link quickly in the browser, for non-URLs or Windows networking UNC paths, this leads to weird behavior. As explained by Lawrence Abrams,
If a user clicks on a UNC path link, Windows will attempt to connect to the remote site using the SMB file-sharing protocol to open the remote cat.jpg file.
While doing so, Windows also shares the users’ credentials (login name and NTLM password hash). Hence, an attacker may easily dehash the passwords using any tools such as Hashcat. With GPUs, such tools would not take long to crack the password hashes.
The bug first caught the attention of a security researcher with alias g0dmode on Twitter.
#Zoom chat allows you to post links such as \x.x.x.xxyz to attempt to capture Net-NTLM hashes if clicked by other users.
— Mitch (@_g0dmode) March 23, 2020
Later, another researcher Matthew Hickey demonstrated the UNC injection in Zoom to capture NTLM password hashes.
Hi @zoom_us & @NCSC – here is an example of exploiting the Zoom Windows client using UNC path injection to expose credentials for use in SMBRelay attacks. The screen shot below shows an example UNC path link and the credentials being exposed (redacted). pic.twitter.com/gjWXas7TMO
— Hacker Fantastic 📡 (@hackerfantastic) March 31, 2020
Such a UNC injection may also allow an attacker to execute arbitrary codes on the target device.
Dear @zoom_us & @NCSC – well that escalated quickly…. Thanks to @AppSecBloke & @SeanWrightSec for letting me use their Zoom meeting to test. You can exploit UNC path injection to run arbitrary code, Windows does warn you with an alert box however. pic.twitter.com/aakSK1ohcL
— Hacker Fantastic 📡 (@hackerfantastic) April 1, 2020
Do This To Mitigate Until A Fix Is Available
For now, this remains an unpatched issue awaiting a fix from Zoom which should prevent the automatic conversion of UNC paths into clickable links. Though, Zoom has confirmed in a statement to Bleeping Computer that they are working on a fix.
At Zoom, ensuring the privacy and security of our users and their data is paramount. We are aware of the UNC issue and are working to address it.
Until then, users can mitigate this problem by following Microsoft’s instructions to restrict NTLM credentials from automatic sharing.
This news came right after Zoom addressed iOS users’ data-sharing issue with Facebook via their app.
Let us know your thoughts in the comments.