Using Microsoft Teams GIFs really is an awful idea

Microsoft Teams Rooms
(Image credit: Microsoft)

Microsoft Teams users are currently able to share GIF files to more accurately describe their emotions to their colleagues - however experts have warned that cybercriminals can also use them to execute malicious commands and steal sensitive data without being spotted by antivirus tools.

Cybersecurity consultant and pentester Bobby Rauch discovered a couple of vulnerabilities in the video conferencing platform that, when chained together, can result in data exfiltration and malicious code execution. 

It’s quite the endeavor, too, as the attacker needs to do a number of things, including getting the victim to first download and install a malicious stager capable of executing commands and uploading command output via GIF urls to Microsoft Teams web hooks. The stager will scan Microsoft Teams logs where, allegedly, all received messages are saved and readable by all Windows user groups, regardless of their privilege levels. 

Using the stager

After setting up the stager, the attacker would need to create a new Teams tenant, and reach out to other Teams members outside the organization. This, the researcher says, isn’t that challenging, given that Microsoft allows external communication by default. Then, by using the researcher’s Python script called GIFShell, the attacker can send out a malicious .GIF file capable of executing commands on the target endpoint.

Both the message, and the .GIF file, will end up in the logs folder, under the watchful eye of the stager. This tool will then extract the commands from the .GIF and run them on the device. The GIFShell PoC can then use the output and convert it to base64 text, and use that as a filename for a remote .GIF, embedded in a Microsoft Teams Survey Card. The stager then submits that card to the attacker’s public Microsoft Teams web hook. Then, Microsoft’s servers will connect back to the attacker’s server URL to retrieve the .GIF. GIFShell will then receive the request and decode the filename, giving the threat actor clear visibility of the output of the command run on the target endpoint.

The researcher also added that there’s nothing stopping the attackers from sending out as many GIFs as they like, each with different malicious commands. What’s more, given that the traffic seemingly comes from Microsoft’s own servers, it will be deemed legitimate by cybersecurity tools, and not flagged.

When notified of the findings, Microsoft said it wouldn’t address them, as they’re not necessarily bypassing security boundaries. 

"For this case, 72412, while this is great research and the engineering team will endeavor to improve these areas over time, these all are post exploitation and rely on a target already being compromised," Microsoft apparently told Rauch. 

"No security boundary appears to be bypassed.  The product team will review the issue for potential future design changes, but this would not be tracked by the security team."

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.