Security researcher Oskars Vegeris from Evolution Gaming has published technical details on a wormable, cross-platform vulnerability in the business communication platform Microsoft Teams.
The flaw is a cross-site scripting (XSS) issue that impacts the ‘teams.microsoft.com’ domain, it could be exploited by an attacker to achieve remote code execution in the MS Teams desktop application.
An attacker could exploit the flaw by sending a specially crafted message to any Microsoft Teams user or channel.
“A Remote Code Execution vulnerability has been identified in MS Teams desktop which can be triggered by a novel XSS (Cross-Site Scripting) injection in teams.microsoft.com. A specifically crafted chat message can be sent to any Microsoft Teams member or channel which will execute arbitrary code on victim PC’s with NO USER INTERACTION.” reads the advisory published by Vegeris.
“Remote Code Execution has been achieved in desktop applications across all supported platforms (Windows, macOS, Linux). Code execution gives attackers full access to victim devices and company internal networks via those devices,”
Even without gaining arbitrary code execution, the attacker could exploit the XSS flaw to obtain SSO authorization tokens for MS Teams or other services of the IT giant (e.g. Skype, Outlook, Office365). The issue could also allow attackers to access confidential conversations and files from the communications service.
The expert pointed out that the attack is stealth, it doesn’t require any user interaction and there are no indicators of compromise for this attack.
The flaw is also ‘wormable,’ this means that it is possible to automatically repost the exploit payload to other companies, channels, users without interaction
Successful exploitation could cause complete loss of confidentiality and integrity for end-users, attackers could access sensitive info into private chats, files, internal network, along with private keys and personal data outside MS Teams
The flaw could also open to phishing attacks by redirecting the victims to attackers’ site or requesting SSO credential input.
Affected products include:
Vegeris also published a demo on how to exploit the vulnerability, he is disappointed by the Microsoft’choice to rate the issues “Important, Spoofing,” which is one of the lowest in-scope ratings possible.
He added that the IT giant wouldn’t issue a CVE number for the vulnerability, because issues in Microsoft Teams are fixed via automatic updates.
Microsoft has addressed the flaw with an update released in October.
(SecurityAffairs – hacking, Microsoft Teams)