Oskars Vegeris, a security researcher at Evolution Gaming, discovered a remote code execution vulnerability in the Microsoft Teams enterprise platform that requires no user interaction. The exploitation of the vulnerability allows an attacker to execute arbitrary code by sending a specially crafted chat message and compromise the victim’s system.
The exploitation of the vulnerability results in “a complete loss of confidentiality and integrity for end users – access to private chats, files, internal network, private keys and personal data outside MS Teams.”
Even worse, the RCE vulnerability is cross-platform and affects versions of Microsoft Teams for Windows (v1.3.00.21759), Linux (v1.3.00.16851), macOS (v1.3.00.23764), as well as a web application (team.microsoft .com). The vulnerability is also worm-like and can spread from a single account to an entire group of users, thereby compromising the entire communication channel.
To exploit the vulnerability, an attacker could combine a cross-site scripting vulnerability in the @mentions functionality in Microsoft Teams and a JavaScript-based RCE payload to publish a seemingly harmless chat message that mentions a user in the form of a direct message or channel.
A simple visit to the chat will execute the payload, allowing it to be used to register user SSO tokens in local storage to steal data and execute any command of the attacker’s choice