Microsoft Teams for macOS Local Privilege Escalation

Microsoft Teams for macOS Local Privilege Escalation

This blog post shares the details of a vulnerability Offensive Security discovered in the XPC service of Microsoft Teams. Although Microsoft secured these services reasonably well, we will see how small code mistakes can have serious impacts.

We reported the issue to MSRC, but unfortunately Microsoft decided that  “the finding is valid but does not meet our bar for immediate servicing.” While they have since hardened the XPC service, it remains exploitable.

Root cause of the Vulnerability

The vulnerability is the result of two distinct issues, which if combined, result in an exploitable scenario. They are: 

  Insecure XPC connection validation
  User control of the installation package and insufficient package signature validation

The XPC service is launched via the /Library/LaunchDaemons/ file.

% sudo plutil -convert xml1 /Library/LaunchDaemons/ -o -






Listing 1 – Microsoft Teams Updater launchd file

It contains a Mach service name, with the executable path /Applications/ This is a highly unusual location, as similar services are normally installed under the /Library/PrivilegedHelperTools/ directory.

If we open this binary file with Hopper (or any other disassembler), we can start our investigation with the shouldAcceptNewConnection: method. This method is normally responsible for controlling connection access to the XPC service.

/* @class ServiceDelegate */

-(char)listener:(void *)arg2 shouldAcceptNewConnection:(void *)arg3 {

r12 = ..