Multiple vulnerabilities in Microsoft Teams could spoof URLs, disclose IP addresses

Only one of the issues has been fixed so far

Security vulnerabilities in Microsoft Teams could allow an attacker to spoof link previews, disclose IP addresses, and even gain access to internal services.

In total, four vulnerabilities in the video conferencing application were discovered by a team of security researchers from Positive Security, who revealed the results in a blog post released today (December 22).

They “stumbled upon” the issues while researching Team’s URL preview feature for another unrelated exploit, researcher Fabian Bräunlein said. The daily sip.

Learn about the latest news on security vulnerabilities

The four outcomes are a Server Side Request Forgery (SSRF) vulnerability and URL spoofing bug in the web and desktop application, and for Android users, an IP address leak vulnerability and a denial of service (DoS).

In the Microsoft Teams URL preview feature, the URL is not filtered which could lead to a limited SSRF which could disclose information such as response time, code, size, and data open graphics, the researchers explained.

This could be used for scanning internal ports and sending HTTP-based exploits to discovered web services.

Bräunlein said The daily sip: “An attacker could use SSRF to search for internal HTTP services and send requests with the Log4Shell payload in the request URI to everyone to try to exploit vulnerable services that cannot be accessed from the Internet.”

READ MORE “Log4Shell” vulnerability poses a critical threat to applications using the “ubiquitous” Apache Log4j Java logging package

The team also explained that the preview link target can be set to any location regardless of the primary link, preview image and description, displayed hostname, or text from. flyover.

This could allow a malicious actor to direct the user to a scam website under the guise of the URL shown on the preview, opening the door to a host of activities.

Android issues

Researchers also discovered two security vulnerabilities that specifically affected Android users.

Firstly, there is an IP address leakage vulnerability in Android that could, as the name suggests, expose user’s IP details.

The blog reads: “When creating a link preview, the backend retrieves the referenced preview thumbnail and makes it available from a Microsoft domain.

“This ensures that the IP address and user agent data is not disclosed when the receiving client loads the tile.

“However, by intercepting the sending of the message, it is possible to point the URL of the thumbnail to a non-Microsoft domain.

“The Android client does not verify the domain / does not have a CSP restricting allowed domains and loads the thumbnail image from any domain.”

Secondly, there is a DoS attack vulnerability in the Android version of Teams that could cause the app to be unusable in certain channels with a specially crafted message.

Open to operate

So far, Microsoft has only fixed one of the vulnerabilities, the IP address problem in Android.

Bräunlein said based on the list of unpatched vulnerabilities, DoS “could get annoying,” but the problem of identity theft is more likely to be used in serious attacks.

The researcher adds: “Regarding the problem of identity theft, our advice is to double-check the URL in the address bar of the browser after following a link. It’s always a good idea, but now especially important when the link was opened through Teams.

“We don’t know of any way for users to protect themselves against Android DoS. However, if such a message renders a channel unusable, we suggest that you log in through the Teams web / desktop app, delete the malicious message from there, and potentially block the user who sent the message.

The daily sip has contacted Microsoft for comment on the unpatched vulnerabilities and will update this article accordingly.

ADVISED Log4j: Security Professionals Call For Urgent Patch Implementation As Exploitation In The Wild Continues

Comments are closed.