Zero Click 'Wormable' RCE found in Microsoft Teams App
A critical Code Execution vulnerability was found in the Microsoft Teams desktop apps to execute arbitrary code remotely and spread infection across a company network by simply sending a specially-crafted message.
The zero-click flaw, which is wormable was reported by a security engineer Oskars Vegeris, from Evolution Gaming, on August 31, 2020. This bug can triggered by cross site scripting injection in Microsoft Team application, attacker can send the special crafted message which lead to execute the code in victim system with any users interaction.
“This report contains a new XSS vector and a novel RCE payload which are used together,” Vegaris wrote on GitHub. “It affects the chatting system within Microsoft Teams and can be used in e.g. direct messages, channels.”
Vegeris explained the seriousness of the bug by detailing the consequences of infection range from complete loss of confidentiality and integrity for victims, to access to private communications, internal networks, private keys as well as personal data outside of Microsoft Teams.
Furthermore, he mentioned, simply visiting the chat at the recipient's end leads to the execution of the payload, allowing it to be exploited to log users' SSO tokens to local storage for exfiltration and execute any command of the attacker's choice.