Microsoft Teams for macOS Local Privilege Escalation

Microsoft Teams for macOS Local Privilege Escalation

This blog post shares the details of a vulnerability Offensive Security discovered in the XPC service of Microsoft Teams. Although Microsoft secured these services reasonably well, we will see how small code mistakes can have serious impacts.


We reported the issue to MSRC, but unfortunately Microsoft decided that  “the finding is valid but does not meet our bar for immediate servicing.” While they have since hardened the XPC service, it remains exploitable.


Root cause of the Vulnerability


The vulnerability is the result of two distinct issues, which if combined, result in an exploitable scenario. They are: 


  Insecure XPC connection validation
  User control of the installation package and insufficient package signature validation

The XPC service is launched via the /Library/LaunchDaemons/com.microsoft.teams.TeamsUpdaterDaemon.plist file.



% sudo plutil -convert xml1 /Library/LaunchDaemons/com.microsoft.teams.TeamsUpdaterDaemon.plist -o -

Label

com.microsoft.teams.TeamsUpdaterDaemon

MachServices

     com.microsoft.teams.TeamsUpdaterDaemon

    

Program

/Applications/Microsoft Teams.app/Contents/TeamsUpdaterDaemon.xpc/Contents/MacOS/TeamsUpdaterDaemon



Listing 1 – Microsoft Teams Updater launchd file


It contains a Mach service name, com.microsoft.teams.TeamsUpdaterDaemon with the executable path /Applications/MicrosoftTeams.app/Contents/TeamsUpdaterDaemon.xpc/Contents/MacOS/TeamsUpdaterDaemon. This is a highly unusual location, as similar services are normally installed under the /Library/PrivilegedHelperTools/ directory.


If we open this binary file with Hopper (or any other disassembler), we can start our investigation with the shouldAcceptNewConnection: method. This method is normally responsible for controlling connection access to the XPC service.



/* @class ServiceDelegate */

-(char)listener:(void *)arg2 shouldAcceptNewConnection:(void *)arg3 {

r12 = ..