Zero-Click Wormable RCE Vulnerability Reported in Microsoft Teams
A zero-click remote code execution (RCE) bug in Microsoft Teams desktop apps could have allowed an adversary to execute arbitrary code by merely sending a specially-crafted chat message and compromise a target's system.
Microsoft did not assign a CVE to this vulnerability, stating "it's currently Microsoft's policy to not issue CVEs on products that automatically updates without user's interaction."
"No user interaction is required, exploit executes upon seeing the chat message,".
The result is a "complete loss of confidentiality and integrity for end users — access to private chats, files, internal network, private keys and personal data outside MS Teams,".
Worse, the RCE is cross-platform — affecting Microsoft Teams for Windows (v1.3.00.21759), Linux (v1.3.00.16851), macOS (v1.3.00.23764), and the web (teams.microsoft.com) — and could be made wormable, meaning it could be propagated by automatically reposting the malicious payload to other channels.
This also means the exploit can be passed on from one account to a whole group of users, thereby compromising an entire channel.
Simply visiting the chat at the recipient's end leads to the execution of the payload, allowing it to be exploited to log users' SSO tokens to local storage for exfiltration and execute any command of the attacker's choice.
This is not the first time such RCE flaws were observed in Teams and other enterprise-focused messaging apps.
Chief among them is a separate RCE vulnerability in Microsoft Teams (CVE-2020-17091) that the company patched as part of its November 2020 Patch Tuesday last month.
Earlier this August, disclosed a critical "wormable" flaw in Slack's desktop version that could have allowed an attacker to take over the system by simply sending a malicious file to another Slack user.
Then in September, networking equipment maker Cisco patched a similar flaw in its Jabber video conferencing and messaging app for Windows that, if exploited, could allow an authenticated, remote attacker to execute arbitrary code.