MICROSOFT TEAMS — CROSS SITE SCRIPTING (XSS) BYPASS CSP
During my early stages of employment at Gais Cyber Security in 2021, my manager had reached out to me over the phone and said with excitement “I think there’s a vulnerability in Teams, let’s look together!”. Naturally, we got to work, and in the span of 2 hours, I had discovered my first Microsoft Teams vulnerability (CVE-2021–24114) that ended in an Account Take Over (ATO).
You can read the report on CVE-2021–24114 here.
Discovery of Vulnerability
I decided after a year since reporting the vulnerability to explore Microsoft Teams again and see what else I could find. Teams has many features but there is one feature that everyone loves especially… Sending stickers!
To start this project off, I sent my teammate a sticker and evaluated how this all works.
When you send a sticker on Microsoft Teams, Teams will convert it as an image and then upload it. The image is sent as “RichText/Html” in the message.
Which looks like this.
After minutes of deciding which of my favorite stickers to send, I sent and inspected the HTTP request.
Helpful tip: During application PenTesting, mark HTML attributes to easily follow the condition in the sections where HTML characters are interpreted. For example in the image below.
When I clicked on the sticker, the text sent over the alt attribute was shown in the popup that opened at the bottom.
In the image above, the area I outlined in the red is the alt tag of the image transmitted in the JSON data. I placed a font tag to leave a mark in this field.
Going back to the chat screen, I clicked on the picture again and saw that the HTML characters I added were interpreted.
Let’s take a look at what’s in front of us so far… I posted an image and the value in the alt tag of that image is interpreted as HTML in the popup that opens. So how does this turn into XSS Vulnerability?
Path to XSS Vulnerability
Testing the standard stuff was leading to nothing successful. This is because of Content Security Policy (CSP). Here’s what the current CSP for Microsoft.
If this information means nothing to you, here’s an article from PortSwigger to explain everything you need to know about CSP.
Tools like Google’s “CSP Evaluator” help understand if there’s a defect on the CSP side and what they include.
Here’s what was found using CSP Evaluator, this shows the “script-src” field is unsafe.
So now, there’s an HTML injection and multiple domains that can be included in scripts on the page. The question is which domains could be used? I took a lot of time on this area and submitted two reports to Microsoft. The first report highlighted “media services” that aren’t currently in the CSP. This service, however, is no longer used due to the domain name being changed by Azure. The result of this report was it being closed immediately.
The angular version I saw was outdated ( 1.5.14 ). I knew now that I could pass the CSP with this version’s vulnerabilities, which started my journey on some local tests. Later, I saw that I was able to receive alerts successfully.
The next task is trying to fit two created elements as both js and div on a single page. I used "iframe srcdoc" in this.
After everything was crafted, the final payload was sent, making corrections along the way due to HTML errors. To get around this I used HTML encoding so the characters could be interpreted correctly. And voila, XSS Vulnerability on Microsoft Teams was obtained through user interaction.
Thank you for reading this far. And special thanks to frosted_dolphin who helped me with this article.