AL2022_60 Design flaws in Microsoft Teams allows for GIFShell attack using GIFs (19th September, 2022)

Description  

Several design flaws/vulnerabilities in Microsoft Teams allow threat actors to carry out phishing attacks, covertly execute malicious codes and exfiltrate data using GIFs.  

How it works? 

A cybersecurity consultant and pen tester by the name of Bobby Rauch found several vulnerabilities in Microsoft Teams that can be chained together to grant command execution, data exfiltration, phishing attacks and security bypass. 

The security flaws and vulnerabilities found in Microsoft Teams were as follows: 

  1. Microsoft Teams by default allows external users to send messages to Teams’ users within an organization. 

  1. Microsoft Teams messages are stored in plain text in a log file locally on the machine and can be accessible by a low privileged user. 

  1. GIFs included in Microsoft Teams Cards are rendered by Teams itself, on behalf of the end user. By doing this, it allows for Out of Bounds HTTP and DNS requests to be sent from Microsoft infrastructure. The URL responsible for carrying out these lookups is:  https://urlp.asm.skype.com/v1/url/content?url=<attacker-public-ip>/<exfiltrated-data>.gif 

  1. Microsoft Teams supports HTML base64 encoded GIFs but does not scan the byte content of those GIFs, thus allowing malicious commands to be embedded and delivered within a normal-looking GIF. 

  1. Attachments can be modified to have users download files from an external URL rather than the generated SharePoint link from Microsoft Teams. 

  1. Microsoft Teams attachments can be spoofed to appear as harmless files but can be used to download a malicious executable or document. 

The main stage of this attack is called the GIFShell which allows an attacker to create a reverse shell in Teams that can deliver malicious codes and commands via base64 encoded GIFs and exfiltrate data through those same GIFs retrieved by Microsoft’s own servers.  

To initiate the reverse shell, a malicious stager must be installed on the victim’s machine that can execute and upload commands via a GIF URL to a Microsoft Teams web hook. The stager will search and continuously scan the Teams log file that stores all received messages. To initiate the attack, a threat actor can use a special script to send a message to a Microsoft Teams user that contains a legitimate GIF that can be modified with commands to be executed on the victim’s machine. The message and GIF received will be stored in the Microsoft Teams log file which the stager is actively monitoring. When the stager detects a message with the modified GIF, it extracts the base64 encoded commands and executes them on the victim’s machine. Any output of the executed command will be converted to base64 text by the shell. The base64 text will be used as the filename for a remote GIF embedded in a Microsoft Teams Survey Card that is submitted to the attacker’s public Microsoft Teams web hook by the stager. Because Microsoft Teams renders flash cards for users, the Microsoft servers will connect to the attacker’s server URL to retrieve the GIF which is named using the base64 output filename. The GIFShell server activated on the attacker’s server will receive the request and decode the filename and display the output from the victim’s machine. 

This attack chain allows the GIFShell attack to covertly execute commands and exfiltrate data. This is done by mixing the output of commands with legitimate Microsoft Teams network traffic as these requests are made by the Microsoft website (‘urlp.asm.skype.com’).  It will be seen as legitimate traffic and not be detected by security software. 

Remediation 

Microsoft has acknowledged the vulnerabilities but has decided that they are not issues to be fixed immediately. However, to help circumvent this type of attack, users are advised to follow the steps below: 

  1. Turn off the default external access settings in the Teams Admin Center, and if there is the need to communicate with external contacts, do so through Teams guest access functionality. 

  1. Monitor for unusual access to Microsoft Teams’ log file. 

  1. Monitor for unusual requests sent to the Teams GIF lookup server, particularly for suspicious long GIF filenames which might be exfiltrated data in base64. 

PDF Download: Design flaws in Microsoft Teams allows for GIFShell attack.pdf

References