Zero-Click Wormable RCE Vulnerability Reported in Microsoft Teams

Cyber Security

Products You May Like

A zero-click remote code execution (RCE) bug in Microsoft Teams desktop apps could have allowed an adversary to execute arbitrary code by merely sending a specially-crafted chat message and compromise a target’s system.

The issues were reported to the Windows maker by Oskars Vegeris, a security engineer from Evolution Gaming, on August 31, 2020, before they were addressed at the end of October.

“No user interaction is required, exploit executes upon seeing the chat message,” Vegeris explained in a technical write-up.

The result is a “complete loss of confidentiality and integrity for end users — access to private chats, files, internal network, private keys and personal data outside MS Teams,” the researcher added.

Worse, the RCE is cross-platform — affecting Microsoft Teams for Windows (v1.3.00.21759), Linux (v1.3.00.16851), macOS (v1.3.00.23764), and the web ( — and could be made wormable, meaning it could be propagated by automatically reposting the malicious payload to other channels.

This also means the exploit can be passed on from one account to a whole group of users, thereby compromising an entire channel.

To achieve this, the exploit chain strings together a cross-site scripting (XSS) flaw present in the Teams ‘@mentions‘ functionality and a JavaScript-based RCE payload to post a harmless-looking chat message containing a user mention either in the form of a direct message or to a channel.

Simply visiting the chat at the recipient’s end leads to the execution of the payload, allowing it to be exploited to log users’ SSO tokens to local storage for exfiltration and execute any command of the attacker’s choice.

This is not the first time such RCE flaws were observed in Teams and other enterprise-focused messaging apps.

Chief among them is a separate RCE vulnerability in Microsoft Teams (CVE-2020-17091) that the company patched as part of its November 2020 Patch Tuesday last month.

Earlier this August, Vegeris also disclosed a critical “wormable” flaw in Slack’s desktop version that could have allowed an attacker to take over the system by simply sending a malicious file to another Slack user.

Then in September, networking equipment maker Cisco patched a similar flaw in its Jabber video conferencing and messaging app for Windows that, if exploited, could allow an authenticated, remote attacker to execute arbitrary code.

Products You May Like

Articles You May Like

ChatGPT Professional Plan Priced at $42 Per Month Surfaces Online, Firm Yet to Announce Premium Plans
World of Warcraft China Shut Down Cuts Off Millions of Gamers
Twitter Saw Ad Spending Fall by Over 70 Percent in December After Elon Musk Takeover, Data Shows
Government to Hold Discussions With Stakeholders on PIB Fact Checks for Social Media in February: MoS IT
Samsung Galaxy Store App Found Vulnerable to Sneaky App Installs and Fraud

Leave a Reply

Your email address will not be published. Required fields are marked *