- UNC Path Injection Vulnerability Found in Zoom
- Hackers could steal your Windows Credentials
If you are working from home and using Zoom video software for your official meetings then you might be a high risk. Cyber Security experts found critical vulnerability in Zoom Video Conferencing software that allows hackers to clicking on malicious link over web chat.
The Zoom client for Windows Vulnerable to the UNC Patch Injection vulnerability that could steal login credentials remotely.
How Vulnerability Works in Zoom as follow
According to security researcher @_godmode,
- Zoom chat allows you to post links such as \\x.x.x.x\xyz to attempt to capture Net-NTLM hashes if clicked by other users.
- Zoom protocol handler getting lots of eyes over the last few days I suspect …. zoommtg:// – “C:\Users\xxxxxxxx\AppData\Roaming\Zoom\bin\Zoom.exe” “–url=%1”
- To steal Windows login credentials of a targeted user, all an attacker needs to do is sent a crafted URL (i.e., \\x.x.x.x\abc_file) to a victim via a chat interface.
Once clicked, the attack would eventually allow the attacker-controlled SMB share to automatically capture authentication data from Windows, without the knowledge of the targeted user.
Google Security researcher Tavis Ormandy demonstrates.
That’s just MoTW, I’ve verified it works. No prompts required. I think someone could realistically click on that. pic.twitter.com/VwYGB5il48
— Tavis Ormandy (@taviso) April 2, 2020
Security researcher Mathhew Hickey from HackerFantastic has tested the UNC injection vulnerability in ZOOM
Hi @zoom_us & @NCSC – here is an example of exploiting the Zoom Windows client using UNC path injection to expose credentials for use in SMBRelay attacks. The screen shot below shows an example UNC path link and the credentials being exposed (redacted). pic.twitter.com/gjWXas7TMO
— Hacker Fantastic (@hackerfantastic) March 31, 2020
Zoom Vulnerability Demonstration
Zoom UNC Path injection/rendering leads to malicious executables execution demo, by security researcher Mohamed A. Baset
Zoom has fixed the vulnerability with following changes.
- Removed the attendee attention tracker feature.
- Released fixes for both Mac-related issues raised by Patrick Wardle.
- Released a fix for the UNC link issue.
- Removed the LinkedIn Sales Navigator after identifying unnecessary data disclosure by the feature.
Eric S. Yuan, Founder and CEO of Zoom said, “Transparency has always been a core part of our culture. I am committed to being open and honest with you about areas where we are strengthening our platform and areas where users can take steps of their own to best use and protect themselves on the platform.”
Zoom Leaks Users Email Id’s and Photos and allow strangers to start a video call with them through Zoom access.
According to Zoom support By default, your Zoom contacts directory contains internal users in the same organization, who are either on the same account or who’s email address uses the same domain as yours (except for publicly used domains including gmail.com, yahoo.com, hotmail.com, etc) in the Company Directory section.
Zoom Applogise and Clarifies Encryption Content Across their Network.
“In light of recent interest in our encryption practices, we want to start by apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption, Zoom said.
“Zoom has always strived to use encryption to protect content in as many scenarios as possible, and in that spirit, we used the term end-to-end encryption. While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.”
“The goal of our encryption design is to provide the maximum amount of privacy possible while supporting the diverse needs of our client base. To be clear, in a meeting where all of the participants are using Zoom clients, and the meeting is not being recorded, we encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients.”
“Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list.”
“We are committed to doing the right thing by users when it comes to both security and privacy, and understand the enormity of this moment.”
