%localappdata%/Microsoft/Teams/update.exe is vulnerable
Microsoft’s collaboration platform Teams has a vulnerability that allows any user to insert malicious code into the application; gifting control while escalating privileges.
Researchers have found that the Microsoft Teams vulnerability can be manipulated by executing an update command in the desktop version of the application.
(Microsoft Teams is a collection of enterprise collaboration tools, comprising Office 365, a SharePoint Online site and a document library to store team files.)
This issue also affects the desktop versions of WhatsApp, UiPath and GIthub, however in their case the vulnerability can only be used to download a payload.
Copy your payload into %userprofile%AppDataLocalMicrosoftTeamscurrent
%userprofile%AppDataLocalMicrosoftTeamsUpdate.exe –processStart payload.exe –process-start-args "whatever args"
— Mr.Un1k0d3r (@MrUn1k0d3r) June 26, 2019
All of these applications use the open source project, Squirrel, which is used to oversee the installation and updating of routines, while the NuGet package manager is used to administer files.
The issue has yet to be patched: a security researcher who disclosed the issue to Microsoft, Reegun Richard, was planning to hold off publishing until it was patched, but with two other security researchers having also identified and published exploits, he said he was detailing the issue to help blue teamers.
Published the writeup on latest Microsoft Teams vulnerable application design.
Vulnerable Endpoints :
— Reegun (@reegun21) June 28, 2019
Richard discovered that he could execute malicious code from Microsoft’s legitimate binary, making this a living off the land attack.
To do this required no special privileges and if the application has control of systems files the access and privileges can be escalated with ease.
Microsoft Teams Vulnerability
Using the vulnerability any threat actor can trick the update function of the application into downloading any malicious code they wish using Microsoft’s own binary code.
Essentially the attack involves extracting any nupkg package into which a hacker would insert a shellcode labelled as ‘squirrel.exe’.
— markus neis (@markus_neis) June 27, 2019
Once a threat actor has created a suitable package they can go into the target application folder and executing the command update.exe, the application will automatically update and download to the malicious package containing the shellcode to the ‘packages’ folder.
Richard wrote in a security blog update on the vulnerability that: “I decided finally to make it public since I spent most of the time in this and without fixing this, the adversaries/insiders likely use this technique for EDR/IDS evasion, So this post will make the blueteam-defense team aware of this situation.”
Microsoft has been contacted for comment.