
Zoom Windows client could allow credentials to be leaked via UNC path injection - LinuxBender
https://www.bleepingcomputer.com/news/security/zoom-client-leaks-windows-login-credentials-to-attackers/
======
jeroenhd
"Zoom doesn't fix Windows oversight that makes Windows leak login credentials"

Sorry, but this one isn't on Zoom. This is all on Windows. You should be able
to click a static link and expect it not to send your user password (or an
easily crackable hash) to some remote server.

This is nothing new and can also be seen in one of tools I often use to check
if my VPN is easily detectable [0].

This is Windows being vulnerable to carelessly authenticating to a remote
server using an insecure protocol. Attack vectors also include email,
messenger applications, QR codes, and anything else that might form an URI you
can click on.

You can prevent this in your firewall by setting the right group policy [1] or
blocking outbound SMB/NTLM/etc. in your network firewall.

[0] hʇʇp://witch.valdikss.org.ru/ WARNING: will try to trigger the exact same
credential leak on Windows. Use with care. [1]
[https://www.securitynewspaper.com/2016/08/06/understanding-w...](https://www.securitynewspaper.com/2016/08/06/understanding-
windows-credential-leak-flaw-prevent/)

~~~
intelligenttank
We see a LOT more at home use of zoom by grandparents and others with minimal
tech savvy because if Covid19. Telling them to egress block SMB is not
helpful. Perhaps we need to put more pressure in ISPs to egress block SMB
traffic?

~~~
jeroenhd
This is hardly Zoom-related. This attack can easily be executed from Word
files and malicious web pages in the right circumstances.

Microsoff should really disable this insecure method of authentication to
public addresses for everyone but business users who rely on it (and whose IT
department can manually enable the feature through group policy). There are
sort-of-valid reasons to use SMB over the internet (easy network printing for
one, as well as mounting disks in networks that still hand out publicly
routable IPv4 addresses such as universities) and closing the port would break
that functionality immediately.

Why should every residential ISP in the world need to cover up for Microsoft's
design flaw? This bug is presented as news but it has been a known security
issue for at least 6 years now.

~~~
xenonite
Can SMB links be clicked on from a standard browser? If browsers prohibit it,
I guess it would indeed be responsible on Zoom's part to also prohibit it.

------
sk5t
Misleading title, Zoom doesn't divulge the password hash, but also doesn't
prevent users from clicking on UNCs.

Having fallen out of paying attention to Windows Server over the past few
years, I'd be a little surprised if the weak NTLM hash is still on by default
in current versions of Windows (although that's not to say most of the Windows
install base isn't in obsolescence).

~~~
microcolonel
> _I 'd be a little surprised if the weak NTLM hash is still on by default in
> current versions of Windows_

Even if it didn't, which I'm not sure about, they still need to send one if
you're trying to open a samba share. This attack works by presenting a UNC
link to a samba share, which (when the user accepts the credential prompt)
will send a nice compatible NTLM password hash.

------
bad_user
The Zoom client has had multiple problems, here's another article about it:

[https://techcrunch.com/2020/03/31/zoom-at-your-own-
risk/](https://techcrunch.com/2020/03/31/zoom-at-your-own-risk/)

I now see senators in my country holding meetings over Zoom and it's
horrifying.

I've been avoiding most things Google, but these days I don't have a problem
with colleagues using Google's Meet, because honestly I trust Google more than
Zoom. Skype is another popular option.

This is a wasted opportunity for a solution like Signal.org to provide support
for e2e group video calls. I'm guessing it's not easy to implement.

------
lazerl0rd
TBF, you can disable NTLM leaking with the registry change below:

    
    
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" /v "RestrictReceivingNTLMTraffic" /t REG_DWORD /d 2 /f
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" /v "RestrictSendingNTLMTraffic" /t REG_DWORD /d 2 /f
    

It's an option of my personal "de-tracking" Windows 10 script
[https://github.com/lazerl0rd/ScriptWINg](https://github.com/lazerl0rd/ScriptWINg).

------
Silhouette
The BBC have an article on Zoom security today, where the lack of clear
technical statements in the response is quite striking if you are concerned
about online security:

[https://www.bbc.co.uk/news/business-52115434](https://www.bbc.co.uk/news/business-52115434)

One interesting point was that the most senior figures in the UK government
have been using Zoom to conduct official meetings while several of them are in
isolation at home due to the virus. That is concerning given the reported lack
of basic security features like full encryption.

------
kerng
This should also allow relay attacks, so password recovery isn't the only
attack angle.

------
yalogin
All this attention on zoom should make their product solid if they listen. I
will never trust them given free service is part of their business model. They
will gather data and sell it. The Chinese government equation is a whole
another thing.

------
throwanem
tl;dr: Zoom chat links UNC paths on Windows, and clicking one sends your
username and easily cracked NTLM password hash to the remote host.

------
bena2005
dang zoom is getting slammed everyday lol

~~~
jsjddbbwj
Facebook must be really happy.

Good thing about this is the fatigue. We're just a few years away until
jo*rnalists lose most of their power.

~~~
untog
A total lack of oversight of tech companies is a good thing?

