A zero-click remote code execution (RCE) flaw in Microsoft Teams desktop apps has made it possible to execute arbitrary code by simply sending a specially crafted chat message and compromise the system.
The issues were reported to the Windows vendor by Oskars Vegeris, a security engineer at Evolution Gaming, on August 31, 2020, before being fixed in late October.
Microsoft has not assigned a CVE to this vulnerability. “It is currently Microsoft’s policy not to issue CVEs for products that automatically update without user interaction.”
“No user interaction is required. The exploit is executed as soon as the chat message is displayed,” Vegeris explained in a technical report.
The result is a “complete loss of confidentiality and integrity for end users – access to private chats, files, internal network, private keys and personal data outside of MS Teams,” the researcher added.
Worse, the RCE is cross-platform, affecting Microsoft Teams for Windows (v1.3.00.21759), Linux (v1.3.00.16851), macOS (v1.3.00.23764) and the Web (teams.microsoft.com). – and could be propagated to other channels through automatic reposting of malicious payloads.
This also means that the exploit can be propagated from one account to an entire group of users, compromising an entire channel.
Simply visiting the chat on the receiving end leads to the execution of the payload, which can be exploited to log users’ SSO tokens for exfiltration to local storage and execute an arbitrary attacker command.
This is not the first time such RCE flaws have been observed in Teams and other enterprise-facing messaging apps.
The main issue is a separate RCE vulnerability in Microsoft Teams (CVE-2020-17091), which the company patched as part of its November 2020 patch last month.
Earlier this August, Vegeris had also disclosed a critical “wormable” flaw in the desktop version of Slack that could have allowed an attacker to take over the system by simply sending a malicious file to another Slack user.