This article is more than 1 year old
When is a remote-code-execution bug in Teams not an RCE? When Microsoft says it isn't, flaw finder discovers
'Zero-click, wormable, cross-platform' vuln deemed 'important, spoofing' rather than, say, 'aaargh!'
Updated At some point since August, Microsoft quietly fixed a cross-site scripting (XSS) bug in its Teams web app that opened the door to a serious remote-code-execution (RCE) vulnerability in the Linux, macOS, and Windows desktop versions of its Teams collaboration app.
The security researcher who identified the issue suggests Microsoft should have done more to acknowledge the risk, noting that Microsoft didn't bother to publish details or obtain Common Vulnerabilities and Exposures (CVE) identifiers for the flaws because Teams gets automatically updated.
Oskars Vegeris, the security engineer at Evolution Gaming who reported the flaws roughly three months ago, on Monday published a report on his findings that suggests Microsoft downplayed the vulnerabilities, rating the XSS bug as merely "important" and capable of "spoofing" and ignoring the RCE potential in the desktop apps.
Vegeris claims the Teams vulnerability could be exploited for "zero-click, wormable, cross-platform remote code execution." Using an XSS bug in Microsoft's Teams web app, an attacker could send or edit a Teams message that executed arbitrary code when the message was viewed.
"That's it," he wrote. "There is no further interaction from the victim. Now your company's internal network, personal documents, O365 documents/mail/notes, secret chats are fully compromised. Think about it. One message, one channel, no interaction. Everyone gets exploited."
Even without utilizing the RCE in the Teams desktop apps, Vegeris contends that the web app XSS allowed an attacker to grab Single Sign-On auth tokens from Teams and other Microsoft services like Office 365, Outlook, and Skype and to access confidential conversations and files within Teams.
Microsoft emits 112 security hole fixes – including the cure for a Google-disclosed kernel vuln exploited in the wildREAD MORE
According to Vegeris, these attacks could be conducted silently by Teams guest users, as opposed to account holders within an organization. Coincidentally, Microsoft recently said that it will be enabling guest access in Teams by default starting in February, 2021.
Vegeris found a similarly serious Slack bug earlier this year and the common factor is that both Slack and Teams are based on Electron.js, a framework for building desktop apps with web technology that run on Linux, macOS, and Windows.
Another bug hunter thanked in Slack's post on the subject, Matt Austin, director of security research at Contrast Security, told The Register in a phone interview in August that he was aware of an RCE bug affecting Teams that had remained unfixed for over a year.
Electron.js is known for being difficult to secure, partly because its relative ease of use appeals to inexperienced developers and partly because its architecture and default settings initially did little to shield its web-exposed processes from its Node.js APIs.
In this instance, Vegeris found a way to inject code into a Teams chat message as a payload (a string of code) assigned to the
displayName property associated with @mentions in the app. His proof-of-concept exploit writes the user's SSO tokens to local storage where they can be retrieved and abused.
Another piece comes to .NET Core: Microsoft will keep the runtime patched automaticallyREAD MORE
Vegeris also developed an RCE payload that he claims bypassed various restrictions imposed by Electron security controls like disabling the remote module, disabling Node.js integration in any render process that displays remote content, relying on a preload.js script, and the contextIsolation flag.
Microsoft is said to have accepted the vulnerability chain bug report for its Office 365 cloud bug bounty program but only rated the XSS "Important" and the impact "Spoofing," meaning the possible reward ranged from US$500 to $3,000. The desktop Teams app RCE, worth $5,000 to $15,000 for "Important" bugs and up to $20,000 for "Critical" ones, was supposedly rejected as "out of scope" – not covered by the cloud-focused program.
"At least now we have a new joke between colleagues - whenever we get a remote code execution (RCE) bug, we call it 'Important, Spoofing'. Thanks Microsoft!" he joked.
Though Vegeris doesn't specifically complain about the bug bounty payout for his findings, the implication is that Microsoft chose the thriftiest possible interpretation of the bugs. But a low payout, $1,750, was also an issue with the Slack bug.
Microsoft did not respond to a request for comment. ®
Updated to add
“We mitigated the issue with an update in October, which has automatically deployed and protected customers,” a Microsoft spokesperson said in an emailed statement, without addressing any of the points made by Vegeris.