oskarsve/ms-teams-rce

This is the first from five zero or one-click Microsoft Teams remote code execution ("Important, Spoofing") bug chains sent in to MSRC.Share this writeup on Twitter.Thank you, A specifically crafted chat message can be sent to any Microsoft Teams member or channel which will execute arbitrary code on victim PC's with NO USER INTERACTION.Remote Code Execution has been achieved in desktop applications across all supported platforms (Windows, macOS, Linux). It affects the chatting system within Microsoft Teams and can be used in e.g. direct messages, channels.To achieve RCE in Microsoft Teams, two vulnerabilities are chained:Type a chat message in either direct communication or channel, mention a user or a custom tag within this chatEdit the chat message containing the mention and intercept with a HTTP proxy like Burp SuiteIn mention functionality, the vulnerable parameter is displayName within the { content: "...", properties: { "mentions" : "[{ displayName: PAYLOAD HERE }]" JSON message structure.The request should look something like this, note displayName:angular expression filtering can be bypassed by injecting a nullbyte char in unicode \u0000, e.g.To access user's local storage and all SSO tokens, use this payload within displayName in the above HTTP PUT request.Full HTTP request for SSO token logging:this will log user's local storage as a XSS PoC.no further actions are necessary. all users within this chat will start logging their SSO tokens which can be exfiltrated.you can verify this by checking development tools in either Microsoft Teams desktop or any browser.A novel remote code execution payload was developed, which bypasses all restrictions currently implemented (remote require, node integration, webview preload filtering etc.) in Microsoft Teams desktop and should work even if contextIsolation was enabled.Shortened version for HTTP PUT request and improved to execute only once per reload:Full HTTP PUT request with RCE payload:!