During this quarantine, I see a lot of people are using the zoom app from business meetings to connecting with your loved ones. Even Boris Johnson uses zoom with the meeting id 539-544-323
A security issue in the Windows client of the popular video conferencing service that can be used for limited remote code execution and worse, to capture and replay security tokens to access network resources. It can steal windows passwords, can execute any program, etc remotely.
The app has a vulnerability in handling Uniform Resource Identifier paths, which can result in a Universal Naming Convention (UNC) injection.
I had some great discussion with Matthew on twitter regarding this.
How does it work?
When sending a chat message, any URLs are converted into hyperlinks so that other people can click it and directly go to the webpage.
The problem is Zoom client for windows doesn’t validate the paths and lead Windows networking UNC paths into a clickable link in the chat messages as well.
Example: C:\Windows\Firmware can be sent to the chatbox as \\127.0.0.1\C$\Windows\Firmware
If a user clicks on a UNC path link, Windows will attempt to connect to the remote site using the SMB file-sharing protocol to open the remote file.
When doing this, by default Windows will send the user’s login name and their NTLM password hash, which can be cracked using free tools like Hashcat to dehash, or reveal, the user’s password.
Security Researchers tested the UNC injection in Zoom and were able to capture the NTLM password hashes being sent to a server hosting the clicked on share.
This is the Proof of Concept where I am -(attacker) opening calculator in victim PC.
[Zoom it to check the full image]
Is there any mitigation?
They fixed in the new release, there is a Group Policy that can be enabled that prevents your NTML credentials from automatically being sent to a remote server when clicking on a UNC link.
The policy is called ‘Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers‘, needs to be set to “deny all” and can be found under the following path in the Group Policy Editor:
Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Option
I have also done some experiments like making a log server, where I can see what all they are chatting over zoom, you know complete breaching of zoom security. I have also tried combining LNK and WebDAV exploit but I failed ( help me out. Anyone?)
Good News: If you use 127.0.0.1 in the payload is used to prompts on victim screen asking for yes or no but that can be bypass by putting localhost instead of 127.0.0.1 in the payload, it won’t prompt anything from victim side. But got fixed in the recent release.
Bad News: So after the update, I tried several other ways to make the injection works, well but I got through link previews by encoding into base64 so you can still manage to get the RCE in the latest update too and no way I will make the POC for this xD
Cheers up, Even their latest update fails here, Give some try.