Talos Vulnerability Report

TALOS-2024-1973

Microsoft Teams (work or school) for macOS library injection vulnerability

August 19, 2024
CVE Number

CVE-2024-42004

SUMMARY

A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. A specially crafted library can leverage Teams’s access privileges, leading to a permission bypass. A malicious application could inject a library and start the program to trigger this vulnerability and then make use of the vulnerable application’s permissions.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Microsoft Teams (work or school) 24046.2812.2722.8193 for macOS

PRODUCT URLS

Teams (work or school) - https://www.microsoft.com/en/microsoft-teams

CVSSv3 SCORE

7.1 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-347 - Improper Verification of Cryptographic Signature

DETAILS

Microsoft Teams is a comprehensive collaboration platform within the Microsoft 365 suite, designed to facilitate workplace communication, video conferencing, file sharing, and integration with other Office applications.

Microsoft Teams (work or school), from now Teams, loads multiple libraries through relative path:

$ otool -L "/Applications/Microsoft Teams (work or school).app/Contents/MacOS/MSTeams"
/Applications/Microsoft Teams (work or school).app/Contents/MacOS/MSTeams:
    /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit (compatibility version 45.0.0, current version 2487.30.104)
    [...]
    @rpath/OneAuth.framework/Versions/A/OneAuth (compatibility version 1.101.2, current version 1.101.2)
    /usr/lib/libiconv.2.dylib (compatibility version 7.0.0, current version 7.0.0)
    /usr/lib/libcharset.1.dylib (compatibility version 1.0.0, current version 1.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1336.61.1)
    /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit (compatibility version 1.0.0, current version 275.0.0)
    @rpath/libSlimCoreWebview2.dylib (compatibility version 0.0.0, current version 0.0.0)
    @rpath/MacRenderer.framework/Versions/A/MacRenderer (compatibility version 0.0.0, current version 0.0.0)
    @rpath/MSWebView2.framework/MSWebView2 (compatibility version 0.0.0, current version 0.0.0)
    [...]
    /System/Library/Frameworks/UniformTypeIdentifiers.framework/Versions/A/UniformTypeIdentifiers (compatibility version 1.0.0, current version 709.0.0)

In this case the location is relative to the main executable /Applications/Microsoft Teams (work or school).app/Contents/MacOS/MSTeams. Furthermore, Teams has a big number of entitlements that allow the program to offer its various functionalities:

$ codesign -dv --entitlements -  "/Applications/Microsoft Teams (work or school).app"
Executable=/Applications/Microsoft Teams (work or school).app/Contents/MacOS/MSTeams
Identifier=com.microsoft.teams2
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=164256 flags=0x10000(runtime) hashes=5122+7 location=embedded
Signature size=9012
Timestamp=20 Mar 2024 at 22:54:32
Info.plist entries=32
TeamIdentifier=UBF8T346G9
Runtime Version=14.2.0
Sealed Resources version=2 rules=13 files=143
Internal requirements count=1 size=180
[Dict]
    [Key] com.apple.application-identifier
    [Value]
        [String] UBF8T346G9.com.microsoft.teams2
    [Key] com.apple.developer.team-identifier
    [Value]
        [String] UBF8T346G9
    [Key] com.apple.security.app-sandbox
    [Value]
        [Bool] true
    [Key] com.apple.security.application-groups
    [Value]
        [Array]
            [String] UBF8T346G9.com.microsoft.teams
            [String] UBF8T346G9.com.microsoft.oneauth
    [Key] com.apple.security.cs.allow-unsigned-executable-memory
    [Value]
        [Bool] true
    [Key] com.apple.security.cs.disable-library-validation
    [Value]
        [Bool] true
    [Key] com.apple.security.device.audio-input
    [Value]
        [Bool] true
    [Key] com.apple.security.device.bluetooth
    [Value]
        [Bool] true
    [Key] com.apple.security.device.camera
    [Value]
        [Bool] true
    [Key] com.apple.security.device.microphone
    [Value]
        [Bool] true
    [Key] com.apple.security.device.print
    [Value]
        [Bool] true
    [Key] com.apple.security.device.usb
    [Value]
        [Bool] true
    [Key] com.apple.security.files.bookmarks.app-scope
    [Value]
        [Bool] true
    [Key] com.apple.security.files.downloads.read-write
    [Value]
        [Bool] true
    [Key] com.apple.security.files.user-selected.read-write
    [Value]
        [Bool] true
    [Key] com.apple.security.network.client
    [Value]
        [Bool] true
    [Key] com.apple.security.network.server
    [Value]
        [Bool] true
    [Key] com.apple.security.personal-information.location
    [Value]
        [Bool] true
    [Key] com.apple.security.print
    [Value]
        [Bool] true
    [Key] com.apple.security.temporary-exception.sbpl
    [Value]
        [Array]
            [String] (allow mach-lookup (global-name "com.apple.mdmclient.daemon.unrestricted"))
            [String] (allow mach-lookup (global-name "com.apple.ReportCrash"))
            [String] (allow mach-lookup (global-name "com.microsoft.teams2.launcher"))
            [String] (allow ipc-posix-sem* (ipc-posix-name-prefix "/Smartscreen-anaheim"))
            [String] (allow mach-register mach-lookup (global-name-prefix "com.microsoft.edgemac.mojo"))
            [String] (allow mach-register mach-lookup (global-name-prefix "org.chromium.crashpad.child_port_handshake"))
            [String] (allow mach-register mach-lookup (global-name-prefix "com.microsoft.teams2.helper.local.MachPortRendezvousServer"))
            [String] (allow mach-register mach-lookup (global-name-prefix "com.microsoft.teams2.helper.MachPortRendezvousServer"))
            [String] (allow mach-register mach-lookup (global-name-prefix "mach.renderer.receiver"))
            [String] (allow mach-register mach-lookup (global-name-prefix "mach.streamrender"))
            [String] (allow file-read* file-write* (subpath "/dev/fd"))
            [String] (allow file-read* file-write* (subpath "/private/var/folders"))
            [String] (allow file-read* (home-subpath "/Library/Logs/DiagnosticReports"))
            [String] (allow user-preference-read (preference-domain "com.apple.mdmclient"))
            [String] (allow user-preference-read (preference-domain "com.apple.SystemConfiguration"))
            [String] (allow user-preference* (preference-domain "com.microsoft.teams2.defaults"))
            [String] (allow user-preference* (preference-domain "com.microsoft.teams2.helper"))
            [String] (allow user-preference* (preference-domain "com.microsoft.autoupdate2"))
            [String] (allow user-preference-read (preference-domain "com.microsoft.office"))
            [String] (allow network* (remote unix))
            [String] (allow process-exec* (literal "/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/msupdate"))
            [String] (allow mach-lookup (global-name "com.microsoft.update.xpc"))
            [String] (allow signal (target-signing-identifier "com.microsoft.teams2.launcher"))
            [String] (allow distributed-notification-post)
            [String] (allow job-creation)
            [String] (allow iokit-open (iokit-registry-entry-class-prefix "AppleSMC"))
    [Key] keychain-access-groups
    [Value]
        [Array]
            [String] UBF8T346G9.com.microsoft.identity.universalstorage

The program is compiled using the Hardened Runtime, a security feature which aims, among other things, to prevent dynamically linked library hijacking.
However, the program includes this specific entitlement:

[Key] com.apple.security.cs.disable-library-validation
[Value]
    [Bool] true

With this entitlement enabled, the program’s defense against library hijacking is effectively nullified, as it allows the loading of unsigned dynamic libraries. This is an issue because a malicious application could could leverage Teams’s permissions without proper authorization.

Indeed, an attacker could copy the application into a controllable location and perform a library injection to use the entitlements of the application. So, an attacker could potentially take pictures, record audio, exfiltrate data, and more.
In scenarios where the attacker leverages permissions already granted to Teams, or when Apple Events are sent to the other Microsoft apps under the scope of the com.apple.security.temporary-exception.apple-events entitlement, the system will not display a pop-up permission prompt, executing actions straightaway.
However, in cases where the required permission hasn’t yet been granted, the Microsoft Teams app will initiate the request. This could lead users to potentially grant the permission based on their trust in the Microsoft app.

Because of the use of the com.apple.security.cs.disable-library-validation entitlement set to true, a malicious application could perform a library injection in Microsoft Teams without any special permission.

VENDOR RESPONSE

Microsoft fixed this issue in version 24124.1412.2911.3341

TIMELINE

2024-04-16 - Vendor Disclosure
2024-06-07 - Vendor Patch Release
2024-08-19 - Public Release

Credit

Discovered by Francesco Benvenuto of Cisco Talos.