A researcher has identified a set of vulnerabilities in Microsoft Teams that can allow an attacker to access arbitrary files, messages, single-sign on tokens, and other data just by sending a specially crafted message to a victim in Teams. The bugs, which Microsoft has addressed with automatic updates, affected Teams on Windows, macOS, and Linux, as well as the cloud hosted version.
Exploitation of the vulnerabilities is quite simple and doesn’t require any user interaction. Oskars Vegeris, the researcher who discovered the bugs, reported them to Microsoft at the end of August and the company released an automatic update to patch them in late October. Microsoft rated the bugs as Important, but the potential effects of an attacker using this technique could be serious. To exploit the vulnerabilities, the attacker would just need the ability to send a message to a victim, who would then only need to read the message for the exploit to work.
“That's it. There is no further interaction from the victim. Now your company's internal network, personal documents, O365 documents/mail/notes, secret chats are fully compromised. Think about it. One message, one channel, no interaction. Everyone gets exploited,” Vegeris said in his vulnerability disclosure.
“So let's expand on that. What if the recipients then automatically post it in their teams, channels? Everybody gets exploited. Did you know you can be a guest in other organisations? Probably your organisation already has several guests. They most likely are in their own organisations and those orgs probably have guests, which are in their own organisations, which are ... 🙂 Yes, it could be made into a worm, which spreads within the Microsoft Teams network, at least within an organisation.”
“We mitigated the issue with an update in October, which had automatically deployed."
Microsoft Teams is an enterprise collaboration and communication platform similar in functionality to Webex. There are both cloud and desktop versions of Teams, and the platform has seen a surge in usage over the last year as the global pandemic has forced organizations to enable remote work for millions of people.
The basis of the vulnerability chain is a cross-site scripting flaw, but Vegeris also uncovered several other bugs that eventually led to the remote code execution. His advisory includes a detailed description and demo, but he removed the RCE payloads.
“Remote Code Execution has been achieved in desktop applications across all supported platforms (Windows, macOS, Linux). Code execution gives attackers full access to victim devices and company internal networks via those devices,” he said in the advisory.
“Even without arbitrary code execution on victim device, with the demonstrated XSS it's possible for an attacker to obtain SSO authorisation tokens for Microsoft Teams and other Microsoft Services (e.g. Skype, Outlook, Office365). Furthermore, the XSS vulnerability by itself allows to access confidential / private conversations, files etc. from within MS Teams.”
Microsoft said the update it deployed does not require customers to take any actions.
“We mitigated the issue with an update in October, which had automatically deployed and protected customers,” a company spokesperson said.