Multiple vulnerabilities in Microsoft Teams could spoof URLs, leak IP addresses

So far only one issue has been fixed

Various vulnerabilities in Microsoft Teams

Security vulnerabilities in Microsoft Teams could allow an attacker to spoof link previews, leak IP addresses, and even access internal services.

A team of security researchers at Positive Security discovered a total of four vulnerabilities in the video conferencing application, who disclosed the findings in a blog post published today (December 22).

They “stumbled upon” the issues while investigating Team’s URL preview feature for another unrelated exploit, researcher Fabian Bräunlein said. The daily drink.

Read more of the latest news on security vulnerabilities.

The four findings are a server-side request forgery (SSRF) vulnerability and URL preview spoofing bug in desktop and web application, and for Android users, an IP address leak vulnerability and a denial of service (DoS) vulnerability.

In Microsoft Teams URL preview feature, the URL is not filtered, which could lead to limited SSRF that could leak information such as response time, code, size, and data from the open chart, the researchers explained.

This could be used to scan internal ports and send HTTP-based exploits to the discovered web services.

Bräunlein said The daily drink: “An attacker could use SSRF to find internal HTTP services and send requests with the Log4Shell payload in the request URI to all of them to try to exploit vulnerable services that are not accessible from the Internet.”

READ MORE The ‘Log4Shell’ vulnerability poses a critical threat to applications using the ‘ubiquitous’ Java logging package Apache Log4j

The team also explained that the preview link destination can be set to any location regardless of the main link, preview image and description, displayed hostname, or floating text.

This could allow a malicious actor to direct the user to a fraudulent website under the guise of the URL shown in the preview, opening the door to a number of activities.

Android problems

The researchers also found two security flaws that specifically affected Android users.

First of all, there is an IP address leak flaw in Android that could, as the name suggests, expose the user’s IP details.

The blog says: “When you preview a link, the backend fetches the referenced preview thumbnail and makes it available to a Microsoft domain.

“This ensures that the IP address and user agent data is not leaked when the receiving client uploads the thumbnail.

“However, by intercepting the delivery of the message, it is possible to point the miniature URL to a non-Microsoft domain.

“Android client does not verify domain / does not have a CSP that restricts allowed domains and loads thumbnail image of any domain.”

Second, there is a DoS attack vulnerability in the Android version of Teams that could render certain channels in the app unusable with a specifically crafted message.

Open to explode

Microsoft has so far only patched one of the vulnerabilities, the IP address issue in Android.

Bräunlein said that from the list of unpatched vulnerabilities, the DoS “could get annoying,” but that the spoofing problem is more likely to be used in serious attacks.

The researcher added: “On the topic of spoofing, our advice is to double-check the URL in the browser’s address bar after you’ve followed a link. This is always a good idea, but it is especially important now when the link was opened through Teams.

“We don’t know of a way for users to protect themselves against the Android DoS. However, should such a message leave a channel unusable, we suggest logging in through the Teams desktop / web app, removing the malicious message from there, and potentially blocking the user who sent the message. “

The daily drink Microsoft has been contacted to comment on the unpatched vulnerabilities and will update this article accordingly.

RECOMMENDED Log4j: Security Professionals Demand Urgent Patch Deployment As In-the-Wild Exploitation Continues

Leave a Comment