A Zero-Click Remote Code Execution (RCE) flaw in Microsoft Teams desktop apps has allowed arbitrary code to be executed just by sending a specially crafted chat message, compromising the system.
The issues were reported to the Windows manufacturer on August 31, 2020 by Oskars Vegeris, a security engineer at Evolution Gaming, before being fixed in late October.
Microsoft has not assigned a CVE to this vulnerability. “It is Microsoft's current policy not to issue CVEs for products that are automatically updated without user interaction.”
“No user interaction is required. The exploit is executed as soon as the chat message is displayed,” Vegeris explained in a technical report.
The result is a “complete loss of confidentiality and integrity for end users – access to private chats, files, internal network, private keys and personal data outside of MS Teams,” the researcher added.
Worse, the RCE is cross-platform and affects Microsoft Teams for Windows (v1.3.00.21759), Linux (v1.3.00.16851), macOS (v1.3.00.23764), and the web (teams.microsoft.com). – and could be passed on to other channels through automatic reposting of malicious payloads.
This also means that the exploit can be spread from one account to an entire group of users, putting an entire channel at risk.
To achieve this, the exploit chain combines a cross-site scripting (XSS) vulnerability in the team's "@mentions" functionality with a Javascript-based RCE payload to post an innocuous-looking chat message, that contains a user mention either in the form of a direct message or in a channel.
Simply visiting the chat on the receiving end results in the execution of the payload, which can be exploited to log users' SSO tokens for exfiltration into local storage and execute any command of the attacker.
This is not the first time such RCE errors have been observed in Teams and other business-oriented messaging apps.
The main issue is a separate RCE vulnerability in Microsoft Teams (CVE-2020-17091), which the company patched last month as part of its November 2020 patch.
Earlier in August this year, Vegeris had also disclosed a critical "wormable" flaw in the desktop version of Slack that would have allowed an attacker to take over the system simply by sending a malicious file to another Slack user.
In September, networking equipment maker Cisco patched a similar vulnerability in its video conferencing and messaging app Jabber for Windows, allowing an authenticated attacker to execute arbitrary code.
