Could you clarify the "one of five" statement please? Are the other 4 vulnerabilities still unfixed, or they are fixed but a write-up is still pending?
If there are still 4 unfixed RCE bugs in Teams I'd rather people uninstall Teams than wait for the fix...
Maybe I missed it but I do not understand why injecting a null byte allowed you to bypass Angukar's protections. Is that a bug in Angular and if do is it fixed?
Is there any tell-tale sign this happened to you? I had a really weird experience on Mac last week: I opened up my machine and when I focused on teams I got a security alert saying something called Endgame from Elastico was demanding permissions. Never downloaded it but there it was in Applications.
It is technically never possible to guarantee tell-tale signs of an RCE. At the point where you're running compromised code, that code could in most cases be constructed as to erase its own tracks. There might be some visible sign at the moment of exploitation, but after that it's kinda over.
(Yes this assumes the RCE escalates to a reasonably high privilege, but that's just a matter of chaining. You can try to go for things like sealed logs, but ultimately arbitrary code can put your machine in an arbitrary state.)
Particularly insidious for this would be the case of data theft. The RCE might load some code to upload your company secrets and keep itself strictly in RAM, and then erase itself when done. With enough blackhat craftiness you'd never be able to pinpoint the exact location of the leak.
If you're using an employer provided computer then they've likely installed Endgame[0] which is an endpoint (it runs on each device) security tool. Endgame was acquired by Elastic[1] last year
Is this a work Mac? If so then it is likely managed through some kind of MDM system (JAMF etc), and it wouldn't be unreasonable for the owner of the hardware to be pushing down an endpoint agent like Elastic Endgame. Check in with your security team and ask them.
There is, however, some consolation in the fact that only an individual who is already connected to you in Teams can run this.
That's not to say - of course - it's not abuse-able, it just gives some context to the fact threat MS calls this "Spoofing", since presumably, your Teams contact is someone you trust. So the bad actor is "spoofing" as someone trustable within your org (or outside it). But is does prob need some social-engineering for a bad actor to truly exploit this.
But the threat is still sever since the above logic only holds up to the point-of-entry, once the worm has infected someone the people forwarding it around are truly trusted.
One of my health care providers use Microsoft Teams as their telehealth solution. My city government uses Microsoft Teams for some public meetings. The idea that folks are only using Teams to connect with other trusted parties is comforting, but false.
That’s pretty scary tbh. All you need is a single employee to fall for a phishing attack or other social hacking attempt and that’s game over. Everyone from the CEO down is compromised. Zero click wormability with remote code execution on a platform the entire company uses gives the exploit unlimited reach within a company. This makes this one of the most effective hacking/corporate espionage tools I’ve heard of.
Imagine a bad actor starting work at large corp having all confidential information up for grabs from colleagues on Teams. It is especially scary during these times where a lot of companies moved completely to working from home.
Some health organisations also use Teams for group support meetings. Imagine someone being able to rummage through your documents during an appointment.
edwintorok|5 years ago
draugadrotten|5 years ago
artjomb|5 years ago
oskarsv|5 years ago
As for when it was fixed - I have no idea, as they never told me, one day it just was.
thawab|5 years ago
oskarsv|5 years ago
throwaway201103|5 years ago
stjohnswarts|5 years ago
unknown|5 years ago
[deleted]
jeltz|5 years ago
tclancy|5 years ago
eqvinox|5 years ago
(Yes this assumes the RCE escalates to a reasonably high privilege, but that's just a matter of chaining. You can try to go for things like sealed logs, but ultimately arbitrary code can put your machine in an arbitrary state.)
Particularly insidious for this would be the case of data theft. The RCE might load some code to upload your company secrets and keep itself strictly in RAM, and then erase itself when done. With enough blackhat craftiness you'd never be able to pinpoint the exact location of the leak.
hundchenkatze|5 years ago
[0] https://en.wikipedia.org/wiki/Endgame,_Inc.
[1] https://en.wikipedia.org/wiki/Elastic_NV
gnfargbl|5 years ago
oskarsv|5 years ago
not saying you are safe - I don’t know :)
jacquesm|5 years ago
ROARosen|5 years ago
That's not to say - of course - it's not abuse-able, it just gives some context to the fact threat MS calls this "Spoofing", since presumably, your Teams contact is someone you trust. So the bad actor is "spoofing" as someone trustable within your org (or outside it). But is does prob need some social-engineering for a bad actor to truly exploit this.
But the threat is still sever since the above logic only holds up to the point-of-entry, once the worm has infected someone the people forwarding it around are truly trusted.
csnover|5 years ago
aardvarkr|5 years ago
varispeed|5 years ago
oskarsv|5 years ago
I can’t call this “spoofing” as there are many many things you can do wih it