This blog post shares the details of a vulnerability Offensive Security discovered in the XPC service of Microsoft Teams. Although Microsoft secured these services reasonably well, we will see how small code mistakes can have serious impacts.
We reported the issue to MSRC, but unfortunately Microsoft decided that “the finding is valid but does not meet our bar for immediate servicing.” While they have since hardened the XPC service, it remains exploitable.
Root cause of the Vulnerability
The vulnerability is the result of two distinct issues, which if combined, result in an exploitable scenario. They are:
Insecure XPC connection validation
User control of the installation package and insufficient package signature validation
The XPC service is launched via the /Library/LaunchDaemons/com.microsoft.teams.TeamsUpdaterDaemon.plist file.
% sudo plutil -convert xml1 /Library/LaunchDaemons/com.microsoft.teams.TeamsUpdaterDaemon.plist -o -
Label
com.microsoft.teams.TeamsUpdaterDaemon
MachServices
com.microsoft.teams.TeamsUpdaterDaemon
Program
/Applications/Microsoft Teams.app/Contents/TeamsUpdaterDaemon.xpc/Contents/MacOS/TeamsUpdaterDaemon
Listing 1 – Microsoft Teams Updater launchd file
It contains a Mach service name, com.microsoft.teams.TeamsUpdaterDaemon with the executable path /Applications/MicrosoftTeams.app/Contents/TeamsUpdaterDaemon.xpc/Contents/MacOS/TeamsUpdaterDaemon. This is a highly unusual location, as similar services are normally installed under the /Library/PrivilegedHelperTools/ directory.
If we open this binary file with Hopper (or any other disassembler), we can start our investigation with the shouldAcceptNewConnection: method. This method is normally responsible for controlling connection access to the XPC service.
/* @class ServiceDelegate */
-(char)listener:(void *)arg2 shouldAcceptNewConnection:(void *)arg3 {
r12 = ..
Support the originator by clicking the read the rest link below.