A zero-click remote code execution (RCE) vulnerability was uncovered in Microsoft Teams desktop apps that could have let a threat actor execute arbitrary code by simply sending a specially-crafted chat message and compromising a target’s system.
The issue was reported to Microsoft by Oskars Vegeris, a security engineer from Evolution Gaming, on August 31, 2020 and they were addressed at the end of October.
A CVE was not assigned to this vulnerability by the tech giant stating that it is currently their company policy to not issue CVEs on products that automatically updates without user’s interaction.
Vegeris said that no user interaction is required and the exploit executes upon seeing the chat message. As a result, there is total loss of confidentiality and integrity for end users — access to private chats, files, internal network, private keys and personal data outside MS Teams.
The RCE is cross-platform — affecting Microsoft Teams for Windows (v1.3.00.21759), Linux (v1.3.00.16851), macOS (v1.3.00.23764), and the web (teams.microsoft.com) — and could be made wormable which means that it could be propagated by automatically reposting the malicious payload to other channels.
So, the exploit can be passed on from one account to a whole group of users, thereby compromising an entire channel.
By visiting the chat at the recipient’s end leads to the execution of the payload, allowing it to be exploited to log users’ SSO tokens to local storage for exfiltration and execute any command of the attacker’s choice.
Such RCE flaws were observed earlier also in Teams and other enterprise-focused messaging apps. One of them include a separate RCE vulnerability in Microsoft Teams (CVE-2020-17091) which was patched as part of its November 2020 Patch Tuesday.
This August, the researcher also revealed a critical “wormable” flaw in Slack’s desktop version that could have allowed an attacker to take over the system by simply sending a malicious file to another Slack user.
Image Credits : Insider Pro