From reading the news and Twitter I just assumed someone found a Zoom RCE. Turns out, no. Bug 1: clickable links are in fact clickable Bug 2 & 3: if an attacker already has access to your machine, they can do bad things.
-
-
Replying to @MalwareTechBlog
I think the UNC bug wasn't explained very well, but could be exploited, e.g. \\?C:\Users\taviso~1\Downloads\exploit.bat works (i.e. executes it). You can obfuscate the link, it's not earth shattering, but I think an attack here is realistic
2 replies 11 retweets 67 likes -
Replying to @taviso @MalwareTechBlog
Are you saying exploit.bat executes without any secondary confirmation? Given that a lot of corporate VPNs restrict 445 egress and most of the major ISPs in the US also block 445 egress, I'm in the "way too overhyped and not really a bug in zoom, just windows being windows" camp
3 replies 0 retweets 9 likes -
Replying to @0xdade @MalwareTechBlog
Yes, I am saying that. I think this is a real bug, just very poorly explained. The NTLM vector shouldn't even have been mentioned, that just confused everyone.
1 reply 3 retweets 17 likes -
Replying to @taviso @MalwareTechBlog
I tried after asking and got this popup which, I guess if we put it in http context this would be much like clicking a .exe link and Internet Explorer saying "wanna run this instead of download it?" Seems mostly like any other phishing type attack and not a zoom problem imo.pic.twitter.com/rc8CZn6FzA
1 reply 0 retweets 3 likes -
Replying to @0xdade @MalwareTechBlog
That's just MoTW, I've verified it works. No prompts required. I think someone could realistically click on that.pic.twitter.com/VwYGB5il48
3 replies 16 retweets 47 likes -
Replying to @taviso @MalwareTechBlog
What's MoTW stand for in this context? I tried to use that link style with http://bit.ly \\?\C:\Users\dade\Documents\exploit.bat and it just pulls up a bitly page and 404s. I'm on Zoom 4.6.7 (18176.0301) on Win 10 19592
2 replies 0 retweets 2 likes -
Anyways, I hold your opinion in high regard and do agree that your link looks quite clickable. Just wondering what's causing me to not be able to reproduce it.
1 reply 0 retweets 3 likes
That was just a zero-width space between the URL and the path to make it look like one long URL.
-
-
Replying to @taviso @MalwareTechBlog
Ohhhh damn how did I not realize the zero width space would be so useful there. Very well done.
1 reply 0 retweets 7 likes -
Replying to @0xdade @MalwareTechBlog
Haha, that obfuscation trick worked on you, so no doubting
You can try to copy this if twitter doesn't mangle it: http://bit.ly \\?\C:\Users\dade\Downloads\exploit.bat:2 replies 2 retweets 15 likes - 10 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.