Windows 10 News and info | Forum
July 06, 2020, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Microsoft Teams Can Be Used To Execute Arbitrary Payloads  (Read 103 times)
Hero Member
Online Online

Gender: Male
United States United States

Posts: 31564

I Do Windows

WWW Email
« on: September 11, 2019, 05:59:43 PM »

Attackers can use genuine binaries from Microsoft Teams to execute a malicious payload using a mock installation folder for the collaboration software.

The problem affects most Windows desktop apps that use the Squirrel installation and update framework, which uses NuGet packages.

A list of impacted products, as tested by the security researcher that made the discovery, includes WhatsApp, Grammarly, GitHub, Slack, and Discord.

Easy to build package

Reverse engineer Reegun Richard found that he could create a fake Microsoft Teams package and use a signed binary to execute anything present in a specific location.

One notable aspect of the experiment is that no resources are required on the target system other than the minimum package created by the attacker.

The researcher found that the genuine 'Update.exe' file and two folders - 'current' and 'packages,' all being part of a normal Microsoft Teams installation, are sufficient to launch on the system malware that inherits the trust of the signed executable, allowing defeat of some defense mechanisms.

It appears that the 'Update' executable blindly deploys anything that is present in the 'current' folder.

The 'packages' location needs to have a 'RELEASES' file, albeit it does not have to be valid. "It just needs the format 'SHA1 filename size'," the researcher told BleepingComputer.

Richard demonstrates the attack in a video that shows how he got shell access on a victim host after instructing 'update.exe' to launch the payload.

Microsoft is aware of the problem but decided not to address it. The researcher says that the reason the company gave him was that the glitch "did not meet the bar of security issue."

The researcher explains that not all NuGet packages are vulnerable but all apps relying on the Squirrel one-click installer are.

Some differences exist, though, in that the name of the folder containing the payload contains the name and version number of the app affected by this problem.

"All the applications, except Microsoft Teams, require correct version folder, the RELEASES file, and the corresponding 'Update' file to make it work," Richard told BleepingComputer.

A minimal package requires is composed of the following:

    signed 'update.exe'

    'current' or 'app-(version number)' folder with the payload

    'packages' folder with the fake 'RELEASES' file

The researcher created a PoC for each app he found to be affected by the issue. The ready-made packages only require a payload.

In previous research, Richard and another researcher found that apps using the Squirrel installer could be abused to download and run an executable in the context of the current user. This could work to get the payload from an online location, too.

Microsoft Teams is becoming a popular choice as an alternative to Slack. Microsoft announced in mid-July that its business-oriented tool for unified communications had 13 million daily active users and more than 19 million on a weekly basis, which is more than what Slack can boast.


Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page April 01, 2020, 06:39:23 PM