By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

The update mechanism as it is currently implemented in Microsoft Teams desktop app allows downloading and executing arbitrary files on the system. The same issue affects GitHub, WhatsApp, and UiPath software for desktop computers but it can be used only to download a payload. These applications rely on the open source Squirrel project to manage installation and updating routines, which uses NuGet package manager to create the necessary files. Multiple security researchers discovered that using the 'update' command for a vulnerable application it is possible to execute an arbitrary binary in the context of the current user. The same goes for 'squirrel.exe.' With Microsoft Teams, a payload is added to its folder and executed automatically using certain commands. These commands can be used with other arguments, including 'download,' which enables retrieving the payload in the form of a NuGet package from a remote location.  The same method is valid for "squirrel.exe," which is also part of the Microsoft Teams installation package. Both executables are now part of the Living Off The Land Binaries and Scripts database on GitHub. Reverse engineer Reegun Richard tested the issue on Microsoft Teams and reported it to the company on June 4. The application continues to be vulnerable at this point as Microsoft informed the researcher that the fix would come in a future release of the software. Trying to replicate the effect with GitHub, and WhatsApp, and UiPath did not achieve execution for the payload and only downloading it from a remote server was possible. "In this scenario, an attacker can use this method to mask the payload download," which is still useful for an adversary, Richard told BleepingComputer. If you use Microsoft Teams, you surely want to learn more about this security infraction and visit OUR FORUM.

 

GTranslate