Could you clarify the "one of five" statement please? Are the other 4 vulnerabilities still unfixed, or they are fixed but a write-up is still pending?
If there are still 4 unfixed RCE bugs in Teams I'd rather people uninstall Teams than wait for the fix...
> Thank you for reporting it and not selling it on the black market!
I disagree. If MS is going to treat major issues like this then researchers should be selling them to the highest bidder. Maybe that way they'll actually treat disclosures properly.
Pretty bold to advocate for blackhat behavior on one of the most schoolboy vanilla places on the internet, but I can't say I necessarily disagree with your sentiment, big tech needs a lesson but is this really the vulnerability we want? 115 million DAU on teams...
The amount of damage the NSA or some other state sponsored actor could do with this... It would be very bad to say the least. How bad depends on which state acquires it.
If a script kiddy got it they would likely do a mass randomware infection, hospitals would get hit, people would die. Millions in crypto would be lost to unencrypted wallets found on the vulnerable machines (yes people do that..), this could cause some to lose their life savings... People have commit suicide for less.
My point is its important to look past FAANG being cheap and look at 2nd and 3rd order effects from something this powerful and widespread.
Governments around the world already regularly trade in exploits that are as or more severe than this one.
That isn’t to advocate for brokering to a government, just to say that the market already exists and contains comparable exploits. It’s only
a matter of time until we see
the next EternalBlue to WannaCry lifecycle.
> look at 2nd and 3rd order effects
.. which FOSS engineers have spent their lives on, while FAANG acumulates patent and SSL money across international borders? forcing TEAMS kool-aid with surveillance built-in, down your desktop with the help of C-Suite and their attorneys?
> But what about all of the innocent people who would be harmed by such a callous approach?
They should then think again about their choice of using teams. Why should Microsoft rake in money from a shabby product while volunteers have to fix their shit?
Assigning a ridiculously low score to significantly lower the bounty as a billion dollar company is disgusting.
To what extent should the blame for any harm fall on Microsoft? They are the ones relying on effectively free labor to protect the innocent. In such a case blaming the free labor instead of blaming the ones relying on free labor seems to create some very bad incentives.
Personally I would prefer just having all new vulnerabilities immediately disclosed once found. No selling, but letting people decide for themselves if they want to continue to use a product after someone has found a vulnerability. I also think the incentives this creates would mean that Microsoft and similar shops would put more effort into testing their own software because they would no longer have the safety net of a grace period when someone finds a problem.
Thing is, we don't know if this was found before by malicious actors and sold and/or abused.
This thing sounds like it is mostly pretty straight forward to find once you start looking - "you" being somebody experienced in this field of research, that is. At least you don't have to construct fancy weird machines (with type confusion, heap spraying and all those shenanigans). It comes down to finding something that can perform code execution in their internal API (here: "electronSafeIpc") and then finding a way to get there (here: angular escape bypass/not-properly-sanitized user provided data) and you can do both in javascript and don't have to read tons of machine code.
Given that Teams is a great target because of it's large and often corporate user base, I'd be surprised if none of the usual industrial espionage suspects (e.g. China, NSA, etc) had a look at Teams before. And I'd think the chance of them having found the same bug, or a related bug, once they looked is pretty good too.
From what I am hearing even the (US) military uses Teams sometimes... If that isn't incentive to look at this thing for "interested parties", then I don't know.
Then people will move to some understuffed FOSS alternative with 5 people working part-time on it, with as severe bugs that nobody notices (remember Heartbleed and countless others?)...
Aside from the harm this could inflict on innocent users, I’m not actually convinced it would cause vendors to change their behavior.
From a business perspective, the reason exploits are bad for companies is because they generate bad press, right? Well, it's not obvious to me that an exploit which was being used in the wild gets significantly worse press than one which was not. There's also the possibility the buyer will reserve an exploit for super-targeted attacks, and the public won't find out at all until year later.
Profiting from the very likely unethical use of the exploit would be unethical.
Instead this mishandling by M$ should rather cause researchers to publicly announce the vulnerabilities which would hopefully cause M$ to change their ways in future dealings.
It is ofcourse easy for me to say this, not being a researcher who lives off of the discoveries made.
you could be a grey hat if you averaged out one exploit turned in to the proper group to one exploit sold to the highest bidder. Flip a coin to be a real greyhat
That most locks are pickable is common knowledge and that is why high-risk targets invest in additional security beyond locks.
That crufty electron apps are a security risk is not. So yes, you do need someone to run out into the streets and yell that the emperor has no clothes. Otherwise common knowledge will not be established.
Not selling this is the real crime here. Microsoft's conduct in this case deserves much worse than just that.
Hoping for a reward now is obviously not going to happen - the best you can hope for as a response to an act like this is legal action. In a vindictive way, you can definitely hope they will get significantly damaged by this and in that way learn their lesson, but I doubt it.
Sorry if I am just obtuse but I don’t see a timeline in the linked report on GitHub. All I can see is that you tested against a version of Teams from 2020-08-31. Being able to see the complete timeline of communication with MS from discovery to public disclosure is not necessary but would give a more complete picture of how this went down, and I’d like to see it too if it’s not such a hassle.
Could you put that in the README, is what we're asking, as vague as it may be.
At the moment the 'has been fixed' is the only clue to this in terms of resolution, and it's tucked away; without it it looks like most of the README is attempting to capitalize on the shock/outrage factor.
In 1989, Morris was indicted for violating United States Code Title 18 (18 U.S.C. § 1030), the Computer Fraud and Abuse Act (CFAA).[2] He was the first person to be indicted under this act. In December 1990, he was sentenced to three years of probation, 400 hours of community service, and a fine of $10,050 plus the costs of his supervision. He appealed, but the motion was rejected the following March.[4] Morris' stated motive during the trial was "to demonstrate the inadequacies of current security measures on computer networks by exploiting the security defects [he] had discovered."[2] He completed his sentence as of 1994.
He is a longtime friend and collaborator of Paul Graham. Graham dedicated his book ANSI Common Lisp to Morris. Graham lists Morris as one of his personal heroes, saying "he's never wrong."
to be friends with Paul Graham, i should make a worm. Got it.
Ehh in 1988 that worm was like an alien artifact from the cyberpunk future.
First "real" worm code, multi-platform, multiple payloads, "staging", first practical buffer overflow exploit and it does credential brute-forcing.
Heck it was not until nearly a decade later that people were really doing buffer overflows, and there were a LOT of easy overflows to be found.
I'd make the case rtm didn't just "make a worm" he foreshadowed the next few decades of computer exploitation.
Took a whole bunch of research and ideas, synthesised them, built an actual working "product" a decade or two ahead of its time and released it in a transgressive way.
If you are the kind of person who can do that I'm sure lots of people would like to be friends with you.
Maybe I missed it but I do not understand why injecting a null byte allowed you to bypass Angukar's protections. Is that a bug in Angular and if do is it fixed?
Is there any tell-tale sign this happened to you? I had a really weird experience on Mac last week: I opened up my machine and when I focused on teams I got a security alert saying something called Endgame from Elastico was demanding permissions. Never downloaded it but there it was in Applications.
It is technically never possible to guarantee tell-tale signs of an RCE. At the point where you're running compromised code, that code could in most cases be constructed as to erase its own tracks. There might be some visible sign at the moment of exploitation, but after that it's kinda over.
(Yes this assumes the RCE escalates to a reasonably high privilege, but that's just a matter of chaining. You can try to go for things like sealed logs, but ultimately arbitrary code can put your machine in an arbitrary state.)
Particularly insidious for this would be the case of data theft. The RCE might load some code to upload your company secrets and keep itself strictly in RAM, and then erase itself when done. With enough blackhat craftiness you'd never be able to pinpoint the exact location of the leak.
If you're using an employer provided computer then they've likely installed Endgame[0] which is an endpoint (it runs on each device) security tool. Endgame was acquired by Elastic[1] last year
Is this a work Mac? If so then it is likely managed through some kind of MDM system (JAMF etc), and it wouldn't be unreasonable for the owner of the hardware to be pushing down an endpoint agent like Elastic Endgame. Check in with your security team and ask them.
There is, however, some consolation in the fact that only an individual who is already connected to you in Teams can run this.
That's not to say - of course - it's not abuse-able, it just gives some context to the fact threat MS calls this "Spoofing", since presumably, your Teams contact is someone you trust. So the bad actor is "spoofing" as someone trustable within your org (or outside it). But is does prob need some social-engineering for a bad actor to truly exploit this.
But the threat is still sever since the above logic only holds up to the point-of-entry, once the worm has infected someone the people forwarding it around are truly trusted.
One of my health care providers use Microsoft Teams as their telehealth solution. My city government uses Microsoft Teams for some public meetings. The idea that folks are only using Teams to connect with other trusted parties is comforting, but false.
I suspect with the on-going pandemic lots of tools are getting used in interesting ways they where never really designed for just to keep things going.
It’s bad, but it’s mostly bad because Teams is bad. It’s still better than Amwell, which somehow manages to have multi-second latencies and requires me to manually mute my video preview to stop it looping back my own audio.
The old P2P Skype had better video quality and latency, even when talking to people 4000 miles away, than every video product I’ve used in the last year. Probably not coincidentally, every video product I’ve used in the last year has been web-based. WebRTC is an enormous disappointment.
That’s pretty scary tbh. All you need is a single employee to fall for a phishing attack or other social hacking attempt and that’s game over. Everyone from the CEO down is compromised. Zero click wormability with remote code execution on a platform the entire company uses gives the exploit unlimited reach within a company. This makes this one of the most effective hacking/corporate espionage tools I’ve heard of.
Imagine a bad actor starting work at large corp having all confidential information up for grabs from colleagues on Teams. It is especially scary during these times where a lot of companies moved completely to working from home.
Some health organisations also use Teams for group support meetings. Imagine someone being able to rummage through your documents during an appointment.