Cybersecurity consultant exposes Teams flaws allowing reverse shell creation via GIFs

There are “insecure” design elements or vulnerabilities within Microsoft Teams that could possibly be used by attackers. According to cybersecurity consultant Bobby Rauch who shared the discovery, it could be performed using the malicious GIFs sent in Teams messages. (via BleepingComputer)

“This unique C2 infrastructure can be leveraged by sophisticated threat actors to avoid detection by EDR and other network monitoring tools. Particularly in secure network environments, where Microsoft Teams might be one of a handful of allowed, trusted hosts and programs, this attack chain can be particularly devastating,” explained Raunch. “Two additional vulnerabilities discovered in Microsoft Teams, a lack of permission enforcement and attachment spoofing, allow for the GIFShell stager to be convincingly dropped and executed on the victim’s machine, completing the attack chain from victim compromise to covert communications.”

The report was first shared with Microsoft in May and June of 2022. It concerns Teams Version 1.5.00.11163 and earlier, and Raunch said the vulnerabilities are still unpatched in the latest Teams version, giving the actors the chance to perform the GIFShell attack chain on them. However, according to the consultant, the findings failed to meet Microsoft’s “bar for servicing” despite being described as “great research” and the company giving him the permission to “blog about/discuss this case and/or present your findings publicly.”

“Oftentimes, companies and engineering teams make design decisions based on ‘assumed risk,’ whereby a potentially low impact vulnerability is left unpatched or a security feature is disabled by default, in order to achieve some business objective,” Raunch expressed his concern. “I believe this research is demonstrative of an instance where a series of design decisions and “assumed risks” made by a product engineering team, can be chained together into a more pernicious attack chain, and a far higher risk exploit than the product designers imagined was possible.”

Raunch enumerated in his report the seven Microsoft Teams flaws and vulnerabilities. One of the most notable points highlighted by Raunch is the fact that the byte content of HTML base64 encoded GIFs included in Microsoft Teams messages are not scanned for malicious content. He also explained that since plain text Teams log files reading doesn’t need administrator or elevated privileges, the malicious stager that would be installed can freely run and scan the log files. Through these vulnerabilities, Rauch said that security control bypasses, data exfiltration, command execution, and phishing attacks are possible.

When asked about the bugs, Microsoft told BleepingComputer almost the same response Raunch received from the company.

“This type of phishing is important to be aware of and as always, we recommend that users practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers.

“We’ve assessed the techniques reported by this researcher and have determined that the two mentioned do not meet the bar for an urgent security fix. We’re constantly looking at new ways to better resist phishing to help ensure customer security and may take action in a future release to help mitigate this technique.”

On the other hand, while Microsoft considers Raunch’s findings as part of “some lower severity vulnerabilities that don’t pose an immediate risk to customers,” it “will be considered for the next version or release of Windows.”