You can now find Cyber Kendra on Google News | Telegram

Zero Click 'Wormable' RCE found in Microsoft Teams App

Critical RCE vulnerability in Microsoft teams desktop Application


A critical Code Execution vulnerability was found in the Microsoft Teams desktop apps to execute arbitrary code remotely and spread infection across a company network by simply sending a specially-crafted message.

The zero-click flaw, which is wormable was reported  by a security engineer Oskars Vegeris, from Evolution Gaming, on August 31, 2020.  This bug can triggered by cross site scripting injection in Microsoft Team application, attacker can send the special crafted message which lead to execute the code in victim system with any users interaction.

“This report contains a new XSS vector and a novel RCE payload which are used together,” Vegaris wrote on GitHub. “It affects the chatting system within Microsoft Teams and can be used in e.g. direct messages, channels.”

In the GitHub post, researcher explain the vulnerability and also highlighted how  RCE can be achieved by chaining two flaws, including stored XSS in Teams chat functionality and a cross-platform JavaScript exploit for the Teams desktop client. This is a cross platform RCE bug, affecting application for Windows (v1.3.00.21759), Linux (v1.3.00.16851), macOS (v1.3.00.23764), and the web (teams.microsoft.com). As this bug is wormable in nature, which means the exploit can be escalate from one account to a whole group of users, thereby compromising an entire channel.

Vegeris explained the seriousness of the bug by detailing the consequences of  infection range from complete loss of confidentiality and integrity for victims, to access to private communications, internal networks, private keys as well as personal data outside of Microsoft Teams.

Furthermore, he mentioned, simply visiting the chat at the recipient's end leads to the execution of the payload, allowing it to be exploited to log users' SSO tokens to local storage for exfiltration and execute any command of the attacker's choice.

Post a Comment

Cookie Consent
We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience.
Oops!
It seems there is something wrong with your internet connection. Please connect to the internet and start browsing again.
AdBlock Detected!
We have detected that you are using adblocking plugin in your browser.
The revenue we earn by the advertisements is used to manage this website, we request you to whitelist our website in your adblocking plugin.
Site is Blocked
Sorry! This site is not available in your country.