Zero Click 'Wormable' RCE found in Microsoft Teams App

A critical Code Execution vulnerability was found in the Microsoft Teams desktop apps to execute arbitrary code remotely and spread infection across a company network by simply sending a specially-crafted message.

The zero-click flaw, which is wormable was reported  by a security engineer Oskars Vegeris, from Evolution Gaming, on August 31, 2020.  This bug can triggered by cross site scripting injection in Microsoft Team application, attacker can send the special crafted message which lead to execute the code in victim system with any users interaction.

“This report contains a new XSS vector and a novel RCE payload which are used together,” Vegaris wrote on GitHub. “It affects the chatting system within Microsoft Teams and can be used in e.g. direct messages, channels.”

In the GitHub post, researcher explain the vulnerability and also highlighted how  RCE can be achieved by chaining two flaws, including stored XSS in Teams chat functionality and a cross-platform JavaScript exploit for the Teams desktop client. This is a cross platform RCE bug, affecting application for Windows (v1.3.00.21759), Linux (v1.3.00.16851), macOS (v1.3.00.23764), and the web (teams.microsoft.com). As this bug is wormable in nature, which means the exploit can be escalate from one account to a whole group of users, thereby compromising an entire channel.

Vegeris explained the seriousness of the bug by detailing the consequences of  infection range from complete loss of confidentiality and integrity for victims, to access to private communications, internal networks, private keys as well as personal data outside of Microsoft Teams.

Furthermore, he mentioned, simply visiting the chat at the recipient's end leads to the execution of the payload, allowing it to be exploited to log users' SSO tokens to local storage for exfiltration and execute any command of the attacker's choice.