{"id":1109,"date":"2020-12-08T12:06:06","date_gmt":"2020-12-08T12:06:06","guid":{"rendered":"http:\/\/zerothcode.com\/blog\/?p=1109"},"modified":"2020-12-08T12:06:06","modified_gmt":"2020-12-08T12:06:06","slug":"zero-click-wormable-rce-vulnerability-reported-microsoft-teams","status":"publish","type":"post","link":"https:\/\/zerothcode.com\/blog\/zero-click-wormable-rce-vulnerability-reported-microsoft-teams\/","title":{"rendered":"Zero-Click Wormable RCE Vulnerability Reported in Microsoft Teams"},"content":{"rendered":"<p>Vulnerability A zero-click remote code execution (RCE) bug in Microsoft Teams desktop apps could have allowed<\/p>\n<p>an adversary to execute arbitrary code by merely sending a specially-crafted chat message and compromise a target&#8217;s system.<\/p>\n<p>The issues were reported to the Windows maker by Oskars Vegeris, a security engineer from Evolution<\/p>\n<p>Gaming, on August 31, 2020, before they were addressed at the end of October.<\/p>\n<p>&#8220;No user interaction is required, exploit executes upon seeing the chat message,&#8221;<\/p>\n<h4>Vegeris explained in a technical write-up. Vulnerability<\/h4>\n<p>The result is a &#8220;complete loss of confidentiality and integrity for end-users<\/p>\n<p>\u2014 access to private chats, files, internal network, private keys, and personal data outside MS Teams,<\/p>\n<p>&#8221; the researcher added.<\/p>\n<p>Worse, the RCE is cross-platform \u2014 affecting Microsoft Teams for Windows (v1.3.00.21759),<\/p>\n<p>Linux (v1.3.00.16851), macOS (v1.3.00.23764),<\/p>\n<p>and the web (teams.microsoft.com) \u2014 and could be made wormable,<\/p>\n<p>meaning it could be propagated by automatically reposting the malicious payload to other channels.<\/p>\n<p>This also means the exploit can be passed on from one account to a whole group of users,<\/p>\n<p>thereby compromising an entire channel.<\/p>\n<div class=\"separator\"><a href=\"https:\/\/thehackernews.com\/images\/-kvtzQweqfiI\/X88dqNvHUkI\/AAAAAAAABLs\/7SJUM5yleB4Rna81cKqunvkAkQpNbc4pgCLcBGAsYHQ\/s0\/ms-teams.gif\"><img decoding=\"async\" src=\"https:\/\/thehackernews.com\/images\/-kvtzQweqfiI\/X88dqNvHUkI\/AAAAAAAABLs\/7SJUM5yleB4Rna81cKqunvkAkQpNbc4pgCLcBGAsYHQ\/s0\/ms-teams.gif\" alt=\"\" border=\"0\" data-original-height=\"448\" data-original-width=\"728\" \/><\/a><\/div>\n<p>To achieve this, the exploit chain strings together a cross-site scripting (XSS) flaw present in the Teams &#8216;@mentions&#8217; functionality<\/p>\n<p>and a JavaScript-based RCE payload to post a harmless-looking chat message containing<\/p>\n<p>a user mention either in the form of a direct message or to a channel.<\/p>\n<p>Simply visiting the chat at the recipient&#8217;s end leads to the execution of the payload,<\/p>\n<p>allowing it to be exploited to log users&#8217; SSO tokens to local storage for exfiltration<\/p>\n<p>and execute any command of the attacker&#8217;s choice.<\/p>\n<p>This is not the first time such RCE flaws were observed in Teams and other enterprise-focused messaging apps.<\/p>\n<p>Chief among them is a separate RCE vulnerability in Microsoft Teams (CVE-2020-17091)<\/p>\n<p>that the company patched as part of its November 2020 Patch Tuesday last month.<\/p>\n<p>Earlier this August, Vegeris also disclosed a critical &#8220;wormable&#8221; flaw in Slack&#8217;s desktop version<\/p>\n<p>that could have allowed an attacker to take over the system by simply sending a malicious file to another Slack user.<\/p>\n<p>Then in September,<\/p>\n<p>networking equipment maker Cisco patched a similar flaw in its Jabber video conferencing and messaging app for Windows that,<\/p>\n<p>if exploited, could allow an authenticated, remote attacker to execute arbitrary code.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Vulnerability A zero-click remote code execution (RCE) bug in Microsoft Teams desktop apps could have allowed an adversary to execute<\/p>\n","protected":false},"author":1,"featured_media":1110,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[37],"tags":[],"yst_prominent_words":[1156,65,320,352,427,1213,386,496,180,967],"class_list":["post-1109","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackers-news"],"_links":{"self":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/1109","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/comments?post=1109"}],"version-history":[{"count":0,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/1109\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media\/1110"}],"wp:attachment":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media?parent=1109"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/categories?post=1109"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/tags?post=1109"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/yst_prominent_words?post=1109"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}