The COVID-19 pandemic has resulted in a huge number of office workers working from home. This has led to a multiple-fold increase in usage of communication and collaboration tools, including conferencing services such as Zoom. However, the video conferencing service has also seen its share of privacy issues. Now, a more serious vulnerability has been uncovered in the service’s Windows client.
The vulnerability has to do with a feature in Zoom’s chat that automatically links UNCs (universal naming convention) or URLs to make it easier for users to navigate to the locations specified in them. However, these UNCs can also be Windows networking paths that will be converted into links for users to click on, which can then be used to extract Windows credentials of the user when Windows tries to connect to the site using the SMB file-sharing protocol.
When users click on the path and the OS tries to establish a connection with the remote site, it sends the users’ login name and their NTLM password hash, which can be cracked by hackers using tools that can de-hash these passwords. It was first spotted by security researcher Mitch (shared on Twitter), after which security researcher Matthew Hickey could successfully demonstrate the UNC injection in Zoom and how the password could be captured through the UNC in the chat.
Hi @zoom_us & @NCSC - here is an example of exploiting the Zoom Windows client using UNC path injection to expose credentials for use in SMBRelay attacks. The screen shot below shows an example UNC path link and the credentials being exposed (redacted). pic.twitter.com/gjWXas7TMO— Hacker Fantastic (@hackerfantastic) March 31, 2020
Hickey also added in a comment to BleepingComputer that UNC links can also be used to open apps or programs on the client’s computer. Interestingly, Mohamed A. Baset mentioned on Twitter that similar behavior was also present on macOS, but required more user interaction.
Zoom has not yet acknowledged the presence of this vulnerability in its app. While it is unlikely that users will be in conversations with such bad actors tasked with stealing credentials, it is still a security risk that needs to be addressed.
For those that would not want to wait for a fix can use a workaround posted by BleepingComuter. However, it is to be noted that the workaround involves tweaking Group Policy, which should only be done if you are familiar with that interface and are aware of the risks involved.