A zero click remote code execution (RCE) bug in Microsoft Teams desktop apps could have allowed an adversary to execute arbitrary code by sending a custom-built chat message and compromising a target system.

The issues were reported to the Windows manufacturer by Oskars Vegeris, a security engineer from Evolution Gaming, on August 31, 2020, before they were addressed at the end of October.

Microsoft did not assign CVE to this vulnerability, citing “Microsoft’s current policy is not to issue CVEs on automatically updating products without user interaction.”

“There is no need to interact with users, exploit executions while viewing the chat message,” Vegeris explained in technical writing.

The result is “complete loss of confidentiality and integrity to end users – access to private conversations, files, internal network, private keys and personal data outside MS Teams,” the researcher added.

Worse, the RCE is cross-platform – affecting Microsoft Teams for Windows (v1.3.00.21759), Linux (v1.3.00.16851), macOS (v1.3.00.23764), and ‘ r web (teams.microsoft.com) – and could be made malicious, meaning it could be propagated by automatically reposting the malicious payload to other channels.

This also means that exploitation can be passed from one account to a whole group of users, thereby compromising an entire channel.

To achieve this, the exploitation chain pulls together a lack of cross-site scripting (XSS) present in the ‘@mentions’ Teams functionality and a JavaScript-based RCE payload to post a harmless chat message that user content mentions either the form. from a direct message or to a channel.

Simply visiting the chat at the end of the receiver results in the execution of the payload, allowing it to be exploited to log users’ SSO tokens to a local repository for extinction and execute any command of the attacker’s choice.

This is not the first time such RCE bugs have been spotted in Teams and other enterprise-focused messaging apps.

Chief among them is the separate RCE vulnerability in Microsoft Teams (CVE-2020-17091) that the company captured as part of its November 2020 Patch Tuesday last month.

Earlier in August, Vegeris revealed a “baffling” critical flaw in Slack’s desktop version that could have allowed an attacker to take over the system by sending a malicious file to another Slack user.

Then in September, the Cisco networking equipment maker patched a similar flaw in its Jabber video conferencing and messaging app for Windows that, if exploited, could allow an authenticated remote attacker to execute arbitrary code.


Please enter your comment!
Please enter your name here