{"id":41630,"date":"2020-12-08T11:14:03","date_gmt":"2020-12-08T11:14:03","guid":{"rendered":"http:\/\/icloud.pe\/blog\/?guid=221ecb8cdf14d4caea3bc62dbf2c5eef"},"modified":"2020-12-08T11:14:03","modified_gmt":"2020-12-08T11:14:03","slug":"zero-click-wormable-rce-flaw-uncovered-in-microsoft-teams","status":"publish","type":"post","link":"https:\/\/icloud.pe\/blog\/zero-click-wormable-rce-flaw-uncovered-in-microsoft-teams\/","title":{"rendered":"Zero-click ‘wormable’ RCE flaw uncovered in Microsoft Teams"},"content":{"rendered":"


\n Keumars Afifi-Sabet<\/a><\/span>
\n <\/span><\/p>\n

\n
\n
8 Dec, 2020<\/span><\/div>\n<\/p><\/div>\n<\/div>\n

\n<\/a><\/p>\n

\n

Hackers were able to exploit a serious vulnerability in\u00a0Microsoft Teams<\/a>\u00a0desktop apps to execute arbitrary code remotely and spread infection across a company network by simply sending a specially-crafted message.<\/p>\n

The zero-click flaw, which is wormable, can be triggered by\u00a0cross-site scripting (XSS) injection<\/a>\u00a0in Teams, with hackers able to transmit a malicious message which will execute code without user interaction.<\/p>\n

<\/p>\n

\nThis remote code execution (RCE) flaw was first reported to Microsoft in August, with the company fixing the bugs in October 2020. However, security researcher Oskars Vegaris, who discovered the flaw,\u00a0 has complained that the firm didn\u2019t take his report as seriously as it should have, with Microsoft not even assigning the bug a CVE tag.<\/p>\n

Microsoft considered the Teams vulnerability as \u2018important\u2019 although described its impact as \u2018spoofing\u2019 in\u00a0its bug bounty programme<\/a>. As for the CVE element, Microsoft doesn\u2019t issue CVE tags on products that automatically update without user interaction.<\/p>\n

\u201cThis report contains a new XSS vector and a novel RCE payload which are used together,\u201d\u00a0Vegaris wrote on GitHub<\/a>. \u201cIt affects the chatting system within Microsoft Teams and can be used in e.g. direct messages, channels.\u201d<\/p>\n

In a technical breakdown of the vulnerability, the researcher highlighted how RCE can be achieved by chaining two flaws, including stored XSS in Teams chat functionality and a cross-platform JavaScript exploit for the Teams desktop client.\u00a0<\/p>\n

The impact is seemingly alarming, with its wormable nature meaning the exploit payload can be spread across other users, channels and companies without any interaction. The\u00a0execution of malicious code<\/a>\u00a0could also happen without any user interaction, given users need to only view the specially-crafted message.\u00a0<\/p>\n

The consequences of infection range from complete loss of confidentiality and integrity for victims, to access to private communications, internal networks, private keys as well as\u00a0personal data<\/a>\u00a0outside of Microsoft Teams.<\/p>\n

Hackers can also gain access to single sign-on (SSO) tokens for other services, including Microsoft services such as Outlook or Microsoft\u00a0365. This will expose them to possible\u00a0phishing<\/a>\u00a0attacks too, as well as keylogging with specially-crafted payloads, according to Vegaris.<\/p>\n

IT Pro\u00a0<\/em>approached Microsoft for comment. <\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Keumars Afifi-Sabet<\/p>\n

8 Dec, 2020 <\/p>\n

Hackers were able to exploit a serious vulnerability in\u00a0Microsoft Teams\u00a0desktop apps to execute arbitrary code remotely and spread infection across a company network by simply sending a sp…<\/p>\n","protected":false},"author":433,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-41630","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41630","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/users\/433"}],"replies":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/comments?post=41630"}],"version-history":[{"count":1,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41630\/revisions"}],"predecessor-version":[{"id":41631,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41630\/revisions\/41631"}],"wp:attachment":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/media?parent=41630"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/categories?post=41630"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/tags?post=41630"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}