Zero-Click Wormable RCE Vulnerability Reported in Microsoft Teams
Vulnerability A zero-click remote code execution (RCE) bug in Microsoft Teams desktop apps could have allowed
an adversary to execute arbitrary code by merely sending a specially-crafted chat message and compromise a target’s system.
The issues were reported to the Windows maker by Oskars Vegeris, a security engineer from Evolution
Gaming, on August 31, 2020, before they were addressed at the end of October.
“No user interaction is required, exploit executes upon seeing the chat message,”
Vegeris explained in a technical write-up. Vulnerability
The result is a “complete loss of confidentiality and integrity for end-users
— access to private chats, files, internal network, private keys, and personal data outside MS Teams,
” the researcher added.
Worse, the RCE is cross-platform — affecting Microsoft Teams for Windows (v1.3.00.21759),
Linux (v1.3.00.16851), macOS (v1.3.00.23764),
and the web (teams.microsoft.com) — and could be made wormable,
meaning it could be propagated by automatically reposting the malicious payload to other channels.
This also means the exploit can be passed on from one account to a whole group of users,
thereby compromising an entire channel.
To achieve this, the exploit chain strings together a cross-site scripting (XSS) flaw present in the Teams ‘@mentions’ functionality
and a JavaScript-based RCE payload to post a harmless-looking chat message containing
a user mention either in the form of a direct message or to a channel.
Simply visiting the chat at the recipient’s end leads to the execution of the payload,
allowing it to be exploited to log users’ SSO tokens to local storage for exfiltration
and execute any command of the attacker’s choice.
This is not the first time such RCE flaws were observed in Teams and other enterprise-focused messaging apps.
Chief among them is a separate RCE vulnerability in Microsoft Teams (CVE-2020-17091)
that the company patched as part of its November 2020 Patch Tuesday last month.
Earlier this August, Vegeris also disclosed a critical “wormable” flaw in Slack’s desktop version
that could have allowed an attacker to take over the system by simply sending a malicious file to another Slack user.
Then in September,
networking equipment maker Cisco patched a similar flaw in its Jabber video conferencing and messaging app for Windows that,
if exploited, could allow an authenticated, remote attacker to execute arbitrary code.