Recently, the Windows Zoom client exposed a security vulnerability that is vulnerable to NUC path injection attacks. As a voice video conferencing app, Zoom also allows users to communicate with each other in the chat interface by sending text messages. However,media, Bleeping Computer, points out that an attacker could exploit a vulnerability in the chat module to steal the Windows login credentials of the user who clicked the link.
Example of UNC injection
When you send a chat message, all sent URLs are converted so that other members of the group click and then open the web page in the default browser.
However, security researchers _g0dmode found that the Zoom client also converted the Windows Network UNC path into a clickable link in a chat message.
As shown in the figure, both the regular URL and the NUC path (?evil.server.com?images?cat.jpg) are converted to clickable links in chat messages.
Captured NTLM password hash
If a user clicks the UNC path link, Windows will attempt to connect to the remote site using the SMB file sharing protocol to open the cat.jpg file in the remote path.
By default, Windows sends the user’s login and NTLM password hash, but slightly experienced attackers can reverse operations with free tools such as Hashcat.
Simple password can be brute forced in 16 seconds
Security researcher Matthew Hickey has discovered that it can be quickly injected into The Zoom and can be cracked quickly with the help of current civilian-grade GPUs and CPUs.
In addition to stealing Windows login credentials, Hickey also revealed to Bleeping Computer that UNC injection is also useful for starting programs on local computers, such as CMD command prompts, by clicking on links.
Program Run Tips
Fortunately, Windows prompts the program to allow it to run before it is executed. To plug this vulnerability, Zoom must block the UNC path conversion feature for Windows clients (masking some clickable hyperlinks).
Hickey is understood to have sent Azoom official sending a notice of the security breach on Twitter, but it is unclear what action the company has taken.
Security-conscious customers can restrict NTLM traffic to remote servers through Group Policy before the official patch is released (see below):
Computer Configuration – Windows Settings – – – – Local Policy – Security Options – – Cybersecurity: LimitNTLM – – and NTLM Communications Sent to Remote Servers (and then all configured for Deny).
Note that if you configure the group policies above on computers that are already joined into the relevant domain, you may experience problems trying to access the share.
If you don’t have access to Group Policy settings for Windows 10 Home users, you can also use the registry editor to complete the restrictions (dword is configured as 2):
“RestrictSendingNTLMTraffic” (dword:000000002) HKEY_LOCAL_MACHINE.s.SYSTEM,CurrentControlSet?MSV1_0.
To create this key value correctly, Windows users remember to start the registry editor as an administrator.
If it is necessary to revert to the Windows behavior that sends NTLM credentials by default in the future, you can simply delete the corresponding RestrictSendingNTLMTraffic key value.