Researchers discovered an RCE vulnerability in Microsoft Teams during Pwn2Own 2022. The application is used by a wide range of people, including professionals, and an exploit could cause significant harm to its users.
The Teams exploits received the highest payouts — $150,000 has been awarded for each of three exploit chains. Masato Kinugawa leveraged a three-bug chain that included an injection, a misconfiguration and a sandbox escape. Hector “p3rr0” Peralta demonstrated an improper configuration, and the STAR Labs team used a zero-click remote code execution exploit that leveraged an injection and an arbitrary file write flaw.
How Does the Vulnerability Work?
Microsoft Teams’ deeplink handler for /l/task/:appId can load arbitrary URL in webview/iframe. The functionality of the team’s RPC allows the attacker to leverage this to obtain code execution outside the sandbox.
This URL route handler accepts the URL as a parameter. This permits the Teams application-created chatbot to send a user a link that should be in the URL allowlist.
To validate the URL, domains are converted into regular expressions. This check is successful if the source URL matches the provided regular expression. However, the parsed form (parseUrl) is sent to the webview after verifying the URL.
This is troubling because utilityService’s parseUrl url-decodes the URL; the check is performed on the original, unencoded URL.
When an allowlisted domain contains a wildcard, such as *.office.com, the generated regular expression is /^https://[^/^.]+[.]office[.]com((/|\?).*) ?$/i.
The wildcard changes to [^/^.]+, but the check is successful if the given URL is https[:]//attacker.com%23.office[.]com.
When the URL is decoded, it becomes https[:]//attacker.com#.office[.]com, which loads attacker[.]com instead.
When an attacker calls remoteServerRequire with the argument slimcore, the pluginHost evaluates the string returned by String.prototype.replace. As a result, the attacker can invoke require() with malicious arguments and methods, achieving remote code execution in the child process module.