Author Topic: Microsoft Teams Can Be Used To Execute Arbitrary Payloads  (Read 177 times)

Online javajolt

  • Administrator
  • Hero Member
  • *****
  • Posts: 35126
  • Gender: Male
  • I Do Windows
    • windows10newsinfo.com
Microsoft Teams Can Be Used To Execute Arbitrary Payloads
« on: September 11, 2019, 05:59:43 PM »
Attackers can use genuine binaries from Microsoft Teams to execute a malicious payload using a mock installation folder for the collaboration software.

The problem affects most Windows desktop apps that use the Squirrel installation and update framework, which uses NuGet packages.

A list of impacted products, as tested by the security researcher that made the discovery, includes WhatsApp, Grammarly, GitHub, Slack, and Discord.

Easy to build package

Reverse engineer Reegun Richard found that he could create a fake Microsoft Teams package and use a signed binary to execute anything present in a specific location.

One notable aspect of the experiment is that no resources are required on the target system other than the minimum package created by the attacker.

The researcher found that the genuine 'Update.exe' file and two folders - 'current' and 'packages,' all being part of a normal Microsoft Teams installation, are sufficient to launch on the system malware that inherits the trust of the signed executable, allowing defeat of some defense mechanisms.

It appears that the 'Update' executable blindly deploys anything that is present in the 'current' folder.

The 'packages' location needs to have a 'RELEASES' file, albeit it does not have to be valid. "It just needs the format 'SHA1 filename size'," the researcher told BleepingComputer.

Richard demonstrates the attack in a video that shows how he got shell access on a victim host after instructing 'update.exe' to launch the payload.



Microsoft is aware of the problem but decided not to address it. The researcher says that the reason the company gave him was that the glitch "did not meet the bar of security issue."

The researcher explains that not all NuGet packages are vulnerable but all apps relying on the Squirrel one-click installer are.

Some differences exist, though, in that the name of the folder containing the payload contains the name and version number of the app affected by this problem.

"All the applications, except Microsoft Teams, require correct version folder, the RELEASES file, and the corresponding 'Update' file to make it work," Richard told BleepingComputer.

A minimal package requires is composed of the following:

   • signed 'update.exe'

   • 'current' or 'app-(version number)' folder with the payload

   • 'packages' folder with the fake 'RELEASES' file

The researcher created a PoC for each app he found to be affected by the issue. The ready-made packages only require a payload.

In previous research, Richard and another researcher found that apps using the Squirrel installer could be abused to download and run an executable in the context of the current user. This could work to get the payload from an online location, too.

Microsoft Teams is becoming a popular choice as an alternative to Slack. Microsoft announced in mid-July that its business-oriented tool for unified communications had 13 million daily active users and more than 19 million on a weekly basis, which is more than what Slack can boast.

source