View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Squirrel Exploit Leaves Microsoft Teams Vulnerable to Privilege Escalation

%localappdata%/Microsoft/Teams/update.exe is vulnerable

By CBR Staff Writer

Microsoft’s collaboration platform Teams has a vulnerability that allows any user to insert malicious code into the application; gifting control while escalating privileges.

Researchers have found that the Microsoft Teams vulnerability can be manipulated by executing an update command in the desktop version of the application.

(Microsoft Teams is a collection of enterprise collaboration tools, comprising Office 365, a SharePoint Online site and a document library to store team files.)

This issue also affects the desktop versions of WhatsApp, UiPath and GIthub, however in their case the vulnerability can only be used to download a payload.

All of these applications use the open source project, Squirrel, which is used to oversee the installation and updating of routines, while the NuGet package manager is used to administer files.

The issue has yet to be patched: a security researcher who disclosed the issue to Microsoft, Reegun Richard, was planning to hold off publishing until it was patched, but with two other security researchers having also identified and published exploits, he said he was detailing the issue to help blue teamers.

Richard discovered that he could execute malicious code from Microsoft’s legitimate binary, making this a living off the land attack.

To do this required no special privileges and if the application has control of systems files the access and privileges can be escalated with ease.

Microsoft Teams Vulnerability

Using the vulnerability any threat actor can trick the update function of the application into downloading any malicious code they wish using Microsoft’s own binary code.

Essentially the attack involves extracting any nupkg package into which a hacker would insert a shellcode labelled as ‘squirrel.exe’.

Once a threat actor has created a suitable package they can go into the target application folder and executing the command update.exe, the application will automatically update and download to the malicious package containing the shellcode to the ‘packages’ folder.

Richard wrote in a security blog update on the vulnerability that: “I decided finally to make it public since I spent most of the time in this and without fixing this, the adversaries/insiders likely use this technique for EDR/IDS evasion, So this post will make the blueteam-defense team aware of this situation.”

Microsoft has been contacted for comment.

See Also: Malicious Code – What It Is, Why it Matters, and How to Reduce the Risk

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.