Remote Code Execution Vulnerability in Microsoft Teams

Home/BOTNET, Data Breach, Exploitation, Internet Security, Security Advisory, Security Update/Remote Code Execution Vulnerability in Microsoft Teams

Remote Code Execution Vulnerability in Microsoft Teams

Researchers discovered an RCE vulnerability in Microsoft Teams during Pwn2Own 2022. The application is used by a wide range of people, including professionals, and an exploit could cause significant harm to its users. 

The Teams exploits received the highest payouts — $150,000 has been awarded for each of three exploit chains. Masato Kinugawa leveraged a three-bug chain that included an injection, a misconfiguration and a sandbox escape. Hector “p3rr0” Peralta demonstrated an improper configuration, and the STAR Labs team used a zero-click remote code execution exploit that leveraged an injection and an arbitrary file write flaw.

How Does the Vulnerability Work? 

Microsoft Teams’ deeplink handler for /l/task/:appId can load arbitrary URL in webview/iframe. The functionality of the team’s RPC allows the attacker to leverage this to obtain code execution outside the sandbox. 

This URL route handler accepts the URL as a parameter. This permits the Teams application-created chatbot to send a user a link that should be in the URL allowlist. 

To validate the URL, domains are converted into regular expressions. This check is successful if the source URL matches the provided regular expression. However, the parsed form (parseUrl) is sent to the webview after verifying the URL. 

This is troubling because utilityService’s parseUrl url-decodes the URL; the check is performed on the original, unencoded URL.

When an allowlisted domain contains a wildcard, such as *, the generated regular expression is /^https://[^/^.]+[.]office[.]com((/|\?).*) ?$/i

The wildcard changes to [^/^.]+, but the check is successful if the given URL is https[:]//[.]com

When the URL is decoded, it becomes https[:]//[.]com, which loads attacker[.]com instead. 

When an attacker calls remoteServerRequire with the argument slimcore, the pluginHost evaluates the string returned by String.prototype.replace. As a result, the attacker can invoke require() with malicious arguments and methods, achieving remote code execution in the child process module. 

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

By | 2023-01-26T09:14:18+05:30 January 24th, 2023|BOTNET, Data Breach, Exploitation, Internet Security, Security Advisory, Security Update|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!