SECURITY ALERT: Zoom Under Scrutiny in Wake of UNC Patch Injection Issue Disclosure

[harlan4096]

Zoom Bug May Leak Network and Personal Data to Malicious Actors

Amid the coronavirus outbreak, Zoom Video Communication, the California-based video remote conferencing company that has become the backbone of the entire work-from-home effort, struggles to contain what can easily turn into a massive data leak.

Coined the UNC patch injection issue by @_g0dmode “Mitch”, the cybersecurity researcher who identified it in the first place, this vulnerability can be exploited to steal Windows login credentials and network information. Despite being notified in regards to the issue, Zoom has yet to come up with a more permanent solution.

Overview

Zoom has, no doubt, become an indispensable communication tool and an asset for companies who want to ensure business continuity for the duration of the pandemic.

According to The Guardian, the company has registered a 1,500% growth in shares, as more and more investors rally around Zoom’s banner. As we speak, Yuan’s brainchild has overtaken its competitors including Skype for Business, Microsoft Teams, Google’s Meet, Slack, etc. However, this “voracity” comes at a cost, as cybersecurity researcher @_g0dmode recently pointed out.

The choice for using Zoom is an obvious one – video over audio and text. Facetime is as important as exercising during remote work to promote solidarity among employees. Zoom, as most of its competitors, has many useful business-oriented features such as link-sharing, online collaboration, workspaces.

UNC Patch Injection Issue

In regards to link-sharing, tools such as Zooms usually convert URLs to shareable hyperlinks. Nothing out of the ordinary about that; in fact, this process allows the user to open the link in a web browser. This is where things tend to get a little complicated.

Per observations, Zoom’s agent doesn’t only transform URL’s into shareable hyperlinks but, at the same time, discloses UNCs (Universal Naming Convention) paths. Why does this point toward a data breach?

Going back to the basics, as you know, UNC is the standard that allows you, the user, to identify files, servers, printers, or other resources in a network (i.e. company network, home network, etc.).

UNC provides a bird-eye view to every device, file or resource that exists in a pre-defined network.

Here’s what a regular UNC path looks like “//Kansas\Example\Wicked.txt”. Now, to access the text document Wicked, you would have to call up the directory (“Example”) and the shared server it’s hosted on (“Kansas”).

So, what happens if someone would open a UNC path link? Your endpoint will attempt to open a connection to a remote site. This is achieved via an SMB (Server Message Block), a network-sharing protocol. During this negotiation, your OS shares, by default, your login name and the NTLM (NT Lan Manager) credential hash.

If the SMB server that handles these requests would be under the control of a malicious actor (hacker), then, on clicking the UNC path link, Windows will automatically leak all this info. One would be inclined to say that the malicious actor has no use for this info since nothing is stored in plaintext.

However, as @_g0dMode (Mitch) pointed out, this hash can be cracked in the blink of an eye, using open-source tools. It gets even worse – if the user forgot to change his password or uses a one, the cracking process becomes even easier.

Following the cybersecurity analyst’s disclosure, Zoom has informed all of its customers that it has taken the necessary steps to solve (and, possibly, mitigate) this issue. No timeline has been announced. Meanwhile, Microsoft has released a possible workaround for the UNC patch injection issue. I will cover this in the upcoming section.

Zoom’s #1 on the hitlist

This isn’t Zoom’s only blunder. In July 2019, EPIC (Electronic Privacy Information Center) filed a complaint against the Californian company, after several cybersecurity analysts brought to attention the fact that the Zoom app was, allegedly, designed to bypass several layers of security imposed by web browser, to access the user’s camera.

This was (allegedly) done without the user’s express consent or knowledge, for that matter. Zoom’s retort was to take down all the remote servers.

Unfortunately, Zoom’s list of blunders doesn’t end here. Recently, the company received a major backlash after Motherboard revealed that Zoom’s iOS application was covertly harvesting user data and sending it to third-parties, including Facebook.

Allegedly, this data, which included chat rolls, personal notes, audio, and video recordings, would be used in targeted Facebook advertisements and other marketing endeavors. The purpose of this article is to provide you with insight on the latest UNC patch injection issue, not to do a ‘Zoom blunders body-count’, so I’m going to stop right here.
...

Continue Reading