Zero day vulnerability in Zoom allows Remote code execution in Windows & malware attacks

Cyber Security researchers have found a critical zero day vulnerability in zoom video conferencing app. This vulnerability was found in windows client of the zoom. It allows limited RCE remote code execution, which can allow leaking network information. The app has vulnerability in handling of Uniform Resource Identifier paths, which can result in Universal Naming Convention (UNC) injection.

Researcher called Matthew Hickey from the company found this vulnerability. The vulnerability was reported to zoom.

Anyone can add malicious links to chat like to expose computer name or domain or windows hashed password.  These links can have Microsoft Excel, which can execute the malicious code when opened.  Once anyone has your hash password it’s not very difficult to hack the network or other server. This also allows creating backdoor or run malware on target device.

The researcher showed a proof of concept via running the built in calculator app by sending a link

like: \\127.0.0.1\C$\Windows\System32\Calc.exe

If you send this link to anyone on zoom chat and if they click, it will open the calculator. Alert box might be displayed by Windows in this case but most for advance attacks that might not be the case.

The flaw affects Zoom’s Windows client only. On Apple’s macOS, the Zoom client doesn’t make the links clickable. But on iOS app the app shared all personal information of user with facebook

Other researchers have found that Zoom’s Company Directory feature leaks email addresses and photos, and that the video conferencing app does not use end-to-end encryption to protect calls from interception.