Security researcher Bobby Rauch identified seven different vulnerabilities in Microsoft Teams. These flaws can be used in a series to achieve a new attacking technique named GIFShell attack. The GIFShell attack is capable of creating a reverse shell between a user and an attacker. These crafted GIFs are created by embedding some commands. As sending and receiving messages are through Teams API, EDR or other network monitoring tools cannot detect this activity.
Below are the seven different vulnerabilities that result to GIFShell attack:
- The external attacker can send attachments to a user, as by default Microsoft Teams allows External Teams collaboration that results in bypassing security controls.
- Microsoft Teams messages are stored in plain text with low privileges which allows attacker to scan the logfile.
Microsoft Team’s Log file Location:
- Microsoft Team renders GIFs through Microsoft Team cards. This allows attacker to send Out of bounds HTTP and DNS request that will attempt to fetch these crafted GIFs. This cannot be detected, as data exfiltration is done through Microsoft’s server.
- The base64 encoded GIFs are not validated by Microsoft teams. Thus, sending malicious commands through GIF is possible.
- Sending Microsoft Teams message requests does not have any CSRF authentication or rate limiting protection. The attacker can craft and re-send malicious requests repeatedly.
- The request for sending Microsoft Teams Card to a channel through webhook does not have any validation imposed, we can send any crafted data through the card.
When these flaws are chained together it results in a GIFShell attack.
The attacker will run client side server (stager) at victim’s machine which he might have sent through some social engineering technique. The server will keep continuously listening to the log file ($HOME\AppData\Roaming\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb\*.log) where Microsoft Teams is adding messages received by the victim. The server is able to read the logs because the log file has low privileges.
On scanning the log file, the server looks for encoded GIF that is received as a message by the victim. It checks if the C&C server sent any commands, executes the same and responds with an encoded URL as explained below.
Microsoft Teams card renders GIF by sending request in the form of “https://urlp.asm.skype.com/v1/url/content?url=HTTP-GIF-LOCATION.gif” which is not validated by Microsoft teams.
As a result, the client side server (stager) appends the encoded response with a URL which will be sent to the Attacker’s IP as follows.
The above generated URL will be added to Microsoft Teams card and sent to attacker’s channel in Microsoft Teams through webhook [Webhook is a way for one application to deliver data to another app in real-time]. While sending the card, a GET request will be sent to the attacker IP by Microsoft Teams through the following URL.
The Command and Control Server running at the attacker’s machine will listen to the GET requests coming to his machine. As soon as the GET request is received, the C2C server will extract the response sent by the client machine through the Microsoft Teams card. The attacker successfully recieves the response of the command he sent through the encoded GIF.
Exploitation Credit:Mohamed Faiz (@mohamed)
Protection Against the GIFShell Attack
- Disable external access: By default Microsoft Teams, allows external user to send messages to tenant user. Many organization admins are not even aware, that their organization allows for External Teams collaboration. External access feature allows Teams users from outside organization to find, call, chat, and set up meetings in Teams.
- Disable external domain access: Microsoft Teams provide options to block all external domain or to Allow only specific external domains.
- Disable unmanaged external teams start conversation: Restrict teams user to communicate with external teams.
Use our Advanced Vulnerability Management solution to ensure your organization’s devices are fully compliant, secure, and updated.