How Microsoft Accidentally Backdoored 270 MILLION Users
HTML-код
- Опубликовано: 22 май 2024
- Try SquareX for free today! 👉 sqrx.io/dbv2_yt
In this video, we take a deep dive into the Microsoft Teams RCE (remote code execution) exploit chain, discovered by bug hunter Masato Kinugawa. This exploit chain consists of cross-site scripting (XSS), prototype pollution, and a sandbox escape within the desktop application framework Electron. Whether you're a pen tester, security researcher, or cyber security expert, having a solid foundation in web and desktop technologies, as well as JavaScript, prototypes, and APIs are crucial.
JOIN THE DISCORD! 👉 / discord
0:00 - Overview
0:46 - Electron
2:30 - Entry Point + Chain Architecture
3:25 - Cross-site Scripting (XSS)
6:53 - Prototype Pollution
11:10 - Sandbox Escape
13:26 - SquareX
Masato Kinugawa's report:
speakerdeck.com/masatokinugaw...
AngularJS RegEx:
github.com/angular/angular.js...
SquareX socials:
Twitter: / getsquarex
LinkedIn: / getsquarex
Instagram: / getsquarex
Facebook: / getsquarex
Blog: labs.sqrx.com/
MUSIC CREDITS:
LEMMiNO - Cipher
• LEMMiNO - Cipher (BGM)
CC BY-SA 4.0
LEMMiNO - Firecracker
• LEMMiNO - Firecracker ...
CC BY-SA 4.0
LEMMiNO - Nocturnal
• LEMMiNO - Nocturnal (BGM)
CC BY-SA 4.0
LEMMiNO - Siberian
• LEMMiNO - Siberian (BGM)
CC BY-SA 4.0
LEMMiNO - Encounters
• LEMMiNO - Encounters (...
CC BY-SA 4.0
#programming #software #softwareengineering #computerscience #code #programminglanguage #softwaredevelopment #hacking #hack #cybersecurity #exploit #tracking #softwareengineer #vulnerability #pentesting #privacy #spyware #malware #cyber #cyberattack #bugbounties #ethicalhacking #encoding #lowlevelsecurity #zeroday #zero-day #bugbounty #security #cybersecurity #breaches #databreaches #bug #bugbounty #pentesting #penetrationtesting #backdoor #javascript #XSS #crosssitescripting #web #webdev #electron #HTML #hacked #BeFearlessOnline #SquareX #Befearless&SecureOnline #Cybersecurity #Privacy #Security #Cybersec - Наука
THANKS FOR WATCHING ❤
JOIN THE DISCORD! 👉 discord.gg/WYqqp7DXbm
** UPDATE **
A few commenters have been confused weather or not Teams was using the deprecated AngularJS, or the new Angular. The answer is that it was indeed using the deprecated AngularJS.
I even referenced the exact line of code in my description, within the old AngularJS:
github.com/angular/angular.js/blob/47bf11ee94664367a26ed8c91b9b586d3dd420f5/src/ng/compile.js#L1384
Why was it being used after deprecation? My guess is at good as yours. Perhaps they were in the process of shifting away from it, as this only happened 5 months after it was deprecated, but still...
The only part that I messed up on was @ 5:53 - I used the wrong README. This should have been the old AngularJS. I stand corrected. Thanks to those who pointed this out!
** UPDATE 2 **
Thanks to @Possible1985 for pointing out that the sentence @ 7:52 should have read "even if nodeIntegration is DISABLED", not enabled.
👇 Let me know what type of bug bounty reports you would like to see next! 👇
Thank you for all of the support, I love all of you
I love people too 💓 💗 ❤️ 💕 💛 ♥️ 💓 💗
this the shocker that they made such a big deal about using this malware over c-19
Angugar?
When you started the section on xss with "but first", I thought you were about to do an ad read for a VPN. Thank you for not doing sponsored ad reads. That was a relief.
Someone really decided to make it possible to embed JavaScript in a CSS class name
YES. Would you expect anything less stupid from Google?
The issue is more to do with the fact that Teams is injecting dynamic, user generated HTML that then gets picked up by Angular. Basically what they're doing is akin to using "eval" on a user input string, and then running some sanitizer over that input to ensure the code contains nothing bad. That's extremely bad practice, for exactly the reasons outlined in the video.
That's as smart as it would be allowing to download and run arbitrary java code by passing a string to a logging library, right? Oh, dang, that happened as well...
And that’s why everyone stopped using Angular in 2015!
One of React’s main advantages has always been its protection against XSS :)
How the HELL?😊
I'm surprised by how uncomplicated each singular step is but how much persistence is needed to pull the entire attack off...
Uncomplicated is a subjective term
@@omanshsharma6796They really are uncomplicated. This attack is more like a mathematical proof, each statement is understandable but having the insight about how to link them together is the clever bit.
@@DensityMatrix1 Working as intended... how hard is to block code injection via text chat? Crazy easy as you need specific and exact comands to do anything...
Uncomplicated? Not at all. Everything is easy and Uncomplicated once you know it. For you to pull a RCE, you really need to know what you are doing, you need to know the many different technologies and tricks to pull this off. This guy built a 0 day from scratch, step by step.
That's talent, I'm not surprised he is Chinese. Those guys are built different.
It's only "uncomplicated" once you've seen it done. This is a pretty novel and slick chain of events, requiring locating some pretty tiny needles in a very big haystack.
I could not pull this off if my life depended on it
Sounds like something a hacker would say
No one could that is why it is valued at 150k $
for real I could have a thousand years and not figure it out
git gud
@@diaahanna8882 just a matter of time spent
> used electron
I literally paused the video at this point 😅
The corporate obsession with JS will never cease to amaze me
@@mgord9518seriously.
150k is among the largest bug bounties? Wow, so now I know nothing is secure.
Wow 150k for this is embarrassing. 270 MILLION high-quality targets with a zero click. 3 TRILLION company btw. No wonder people turn to crime, good thing dudes compass points north. Finding exploits is a thankless job...
I agree with you on this. The bounty definitely should have been far higher for the impact of the exploit 🤷
around 0.5 dollar per 1000 users
@@schwingedeshaehers wow i think an ad would make more money than that
Shame on M$ 😅
They should pay $1m at least.
If he sold this to any government he would've had a major pay day
modern exploit chains are pure insanity. it really makes you wonder whether all those mitigations are helping or just delaying the inevitable.
it's both - in some ways it shows how 'secure' things are these days - no more drive-by from script kiddies dropping quotes into text boxes. But all steps in this chain were patched - so any new security break like this needs 4 new exploit steps. And there are prizes for discovering any 2 in a row (1 alone isn't worth that much).
We're trying to setup an environment where the user can do whatever they want, without allowing them to do specific actions - the target is 'hard' to achieve :)
A lock doesn't stop criminals. It just deters criminals.
Patching exploits and improving security makes it harder to do malicious things in these apps. It's a deterrent.
Grabify is a easy drive by phish used today to log your ip in a text box (just 1 of many examples) so there are still things people can do Phishing wise that just relies on social engineering A SINGLE CLICK. @@andytroo
00:30 you should cover the highest paid bug bounty on that list, about staying in Apple for 3 months.
Seems incredibly interesting!
The headline there is actually a bit misleading, lol. They didn't remain inside Apple for 3 months - they just assembled a team of pen testers to find bugs at Apple over a 3 month period. They found 55 total vulnerabilities over the time span. The reason why the bounty is listed so high is because it's a summation across the payouts for all 55 bugs.
Here's the full report if you're interested:
samcurry.net/hacking-apple/
55 in only three months does seem highly eligible for an efficiency-to-haul ratio bonus tbh
Alone I have found about 20 in a single month, but thats across multiple vendors/manufacturers. (never been paid for them so theres no record to cite here)
@@komorebi8182 The URL has words in it, those words tell you what site it is. If you traverse to the main domain of a website they generally tell you what they are. In this case it's a guys blog.
@@komorebi8182oops, didn't see this till now! It's called pentester.land - pretty awesome site.
Amazing, isn't it?
You find a critical, 0-click RCE in a company's product and they pay you out 150k...
Go to a company like NSO, sign a simplr NDA and you've got yourself 1.5 million...
Check the history, we're talking about Microsoft!
I'm beginning to start my journey into cybersec and I couldn't have found this at a better time, amazing content my brother! As a side note, 150k seems stupidly low for the gravity of the exploit and how many people could've been affected by it
And yet one of the biggest payouts ever.
cybersex?
@@stellviahohenheim Amen homie
Now this guy should have got paid like 10 million at least. That would have encouraged more people to pursue stuff like this and find vulnerabilities. This bounty will actively discourage people which is kind of sad. Good thing this guy had a good heart/head.
This was an incredible video. Animations are fire, going back to the high-level steps of the exploit, and coloring the relevant code snippets were all incredibly helpful for me to follow along. Liked, subbed, did all the things. Hoping to see more from you.
Man this is one of my favourite comments ever, thank you ❤️. You're the first person so far to mention the semantic colour coding, which I pay a lot of attention to. I'm happy it helped, and glad to have you apart of the community!
@@DanielBoctor semantic colour coding is life, in work and in your vids. very nice touch.
Just the right amount of technical details while providing a great overall narrative. Nice work.
Thanks for the support! Means a lot
Dead ass this is better than straight up bashing Microsoft and saying go to Linux go to Linux as it’s the underlying that matters
AngularJs in teams? Lordy.
Thank you for taking the time to say and make all these graphics! Your hard work doesnt go unnoticed sir!
Thank you so much! The support means a lot ❤️. Thank you for the recognition, and for being apart of the channel 😊
The fact that they use AngularJS instead of Angular >=2 is baffling
You will be surprised by how degraded technologies these MNCs use. It requires them time to overhaul their system.
They still use knockout js in azure it seems it takes quite a while for a service become in production and it seems like they move slow with replacing it.
@@anonymoususer6801 I mean sure, but like AngularJS has been softly deprecated 10 years ago, fully deprecated not long after, and the last release was 4 years ago...
And that they sanitize user input a little and then just treat it as dynamic markup, that’s the insane part to me
It's all about profit margins, switching to a different code base is an additional cost. You'll be surprised how many legacy frameworks are still in use today even by large companies.
Awesome video Dan! Always delivering high quality content
Thank you Jacob!!!
What an incredible video! I really like your explanation - complete without being overbearing. Not a JS dev, but I still could pick up on the important details - so nice job!
Will definitely check out the rest of your channel. Cheers!
Thanks for watching! Glad you liked it
That was a great video, and your ad-read of SquareX was fantastic information. I've downloaded an extension for the very first time that I've seen on a video haha! I never thought I'd see the day when I'd be persuaded to install an extension.
haha, that's awesome to hear!
@@DanielBoctoryeah I've used it since too haha!
These videos are so informative and well made, I can’t believe you only have 15k subs.
You’re gonna make it big
Thank you for the support! I appreciate it ❤️
Thank you for a clear, step by step illustration of how each step of the exploit worked.
Another amazing video, keep up the fantastic work!
Will do! Thanks for the support!
It’s actually quite simple but man you gotta really understand the know how’s to get in and get out. Genius to find this minuscule window from such a huge company. btw thank you for the simple explanation you made it easy to understand and amazing visuals.
glad it was helpful
Masato Kinugawa is a legend, with Gareth Heyes those are the best XSS hunters i know. 150k$ well deserved !
This is such a well made video. Excellently explained!
Glad you liked it!
Great explanation, even with your pronunciation of JavaScript 😉. Your latest video on speculative execution was also amazing. Just discovered your channel today and subscribed. Looking forward to future videos as well as going through your previous ones.
Thank you for the support! I appreciate it. Glad you're finding my content interesting
Your explanation of Angular's role in the exploit was confusing to me because it seemed that you conflated AngularJS, the ancient, deprecated framework with the modern versions of Angular. It is not clear which version they were using in the exploit. The screenshots showed version 1.8 which would be the old version, which in the year of that exploit would have been after end of life support. Feels very careless of Microsoft to continue using that of version so long...
Good question. They were indeed using the old AngularJS. I even linked the exact line I referenced in the video in the description:
github.com/angular/angular.js/blob/47bf11ee94664367a26ed8c91b9b586d3dd420f5/src/ng/compile.js#L1384
Why was it being used after deprecation? My guess is at good as yours. Perhaps they were in the process of shifting away from it, as this only happened 5 months after it was deprecated, but still...
Thanks for the clarification!
of course
as always, very good quality!
Glad you think so! Thanks for the support 😊
Thanks for the informative and well made video. Perfect depth for the format. Maybe you could somehow link the source in the video. Like having a foot note number in a corner
That took an impressively detailed knowledge of all the applied frameworks to pull off. Kudos to them!
6:38 love how you use Lemino's music for bgm ❤
hes an inspiration to me
Amazing vid and explanation, mate! Love the channel!
Thanks for watching! Glad you liked it
Awesome explanation. This should reach more people.
You are an awesome fella. Thank you for the support! I'm glad that you enjoyed ❤️
That was an awesome explanation
not as awesome as you
bruh who is this guy
dude came out of nowhere and is making this clutch content
LOL, this is truly a great comment
Was the patch to fix this problem done in node.js (or a package it depended on) or Teams? If node.js, which version had this problem? Thanks for a great video.
this was *not* an issue with Nodejs itself
If that was your conclusion I question if you actually followed along the video.
Eletron is an opensource program with it's own org and framework. The code is hosted on github, it is not a github project. That matters.
You are right, however it was originally developed by GitHub. They transferred Electron's ownership from GitHub to the OpenJS Foundation in ~2019.
Always a blessing to watch!
Always a blessing to have you apart of the channel
Really well done video
Hey, just a heads-up the way the sponsor was mentioned in this video may have violated RUclips sponsoring disclosement guidelines since there wasn't a verbal disclosure and/or paid promotion notification. (See the "Add paid product placements, sponsorships & endorsements" RUclips Help page)
I'm not a creator myself, but the way to properly do it would probably be one or more of the below two things, I think:
- In RUclips Studio, under "More", clicking the “My video contains paid promotion like a product placement, sponsorship, or endorsement.” box will display a "Includes paid promotion" disclaimer at the first 10 seconds of the video
- In the RUclips video content or description, I believe there's some requirement to verbally disclose the nature of the relationship with the sponsor. E.g. by saying "You may want to check out this video's sponsor, SquareX", or "This video was sponsored by SquareX", etc.
Thanks for bringing this up. The paid promotion option was always on, and the notification was always present at the start of the video. Are you sure you didn't see it? It shows up for me.
In terms of the verbal disclosure though, can you find / link where it states that? I looked through the page that you referenced, and nowhere could I find any sort of verbal disclosure requirement. I genuinely appreciate your heads up, I just couldn't find the verbal requirement anywhere. Let me know if you can find this. Thank you
Excellence again ! thanks you !
thank you for watching!!
"accidentally" 😂😂😂 absolute commedian
Very nicely explained
Thanks!
Thx for such a comprehensive explanation ñ
I canot even Teams get render html in chat messages.
Did they generally remove html support in chat messages to close down this vector?
Nice job dude🎉
goddamn regex wildcard made this possible
Fucking love regex man. Terrible to write, worse to read. Has the security of swiss cheese. And we just CANNOT help ourselves.
@@Selsatolet's use a LALR parser instead!
$150k ain’t much of a bounty for something that could topple your entire company.
What are those background videos? The strange geometry is very nice, where can I find them?
They actually come from a collection of "Visualising AI" animations from Google DeepMind. They are quite incredible indeed. Here is the source if you want to check it out!
deepmind.google/discover/visualising-ai/
@@DanielBoctor thanks!
What a processsss to pull thisss one of
Fairly sure this is how Data got the Borg cube to go to sleep.
I don't get it... how did we get from it not being possible to send HTML to being able to set the class value of a HTML tag on the renderer?
We were always allowed to send HTML in chat messages - it was just sanitized, restricting the specific HTML elements and classes allowed. This exploit was able to be pulled off because the only class that we used was the swift-* class, which was allow-listed by the sanitation library.
@@DanielBoctor thank you, he just used one of the allowed HTML tags, now I get it! :D
incredible video. subbed
Thanks!
0:20 Why did you put slashes instead hyphens into that command?
Thanks for this explanation, from what you've outlined I have to conclude that Microsoft doesn't have any processes in place to ensure their code meets even the most basic security requirements. Both of the exploits used are gross oversights. Makes you really wary of using anything Microsoft for sensitive applications.
One of my first uses of psexec was remotely opening calculator on a coworker's desktop!
06:29 is "malicious" separate class because there is space before?
Just to be clear, there is only a single class here, "swift-*", as perceived by Teams.
What we're doing is piggybacking the ng-init directive onto the swift-* class. The Teams sanitation library, sanitize-html, allows this, as it only sees a single class that conforms to the allow-list. The "ng-init: malicious" is NOT it's own class as perceived by Teams sanitation library sanitize-html, but WILL be recognized by Angular's own parsing engine.
To answer your question, no, the space before the malicious expression is not needed. From Angular's perspective, the only thing required is the semicolon, as its RegEx uses a semicolon as a delimiter. In short, the space is not necessary, but the semi colon is.
Hopefully this helps!
Hey, love these videos! Can you make one about the RCE exploit that shut down the servers of all Souls games developed by Fromsoftware?
It's super interesting because if the exploit hadn't been reported responsibly, it could have been used on Elden Ring, one of the biggest games of all time, on hundreds of thousands of people simultaneously. It could have been one of the worst exploits in gaming
It did not even require P2P connection, as it exploited the game's servers. Tremwil wrote a great explanation on gitthub
Even players sitting on the main menu were affected!
(sorry I had to type the comment like this, YT kept deleting it over and over again. Might need to "sort by new" to see it all)
I don't understand most of these code lines, but I still enjoy watching this, because of clear graphics explaining what's going on... 😅
@5:55 the screenshot you are showing is wrong. Its of Angular but not of Angular JS.
I just love how they paid him €150.000 but it would have cost Microsoft multiple millions in legal fees.
Not saying that he should have been paid more, but still kinda funny
He could have got at least double that on the dark web
@@thewhitefalcon8539he could get even more if he sold that exploit to usa or russia
This guy should have got paid like 10 million. This could have compromised so many people so quickly.
@@paramveerdhoot6415I agree, I am don't really agree with my past self here. There is no real price-tag for the safety, privacy and security of millions of people.
I wish you named your channel «Doctor Boctor»
You have no idea how many people call me that irl lol. I might actually change the name of the channel one day.
Accidentally? That sounds more like a security vulnerability than a backdoor.
It's so baffling to me that developers decided to beat JS into a bloody pulp until it does what you want it to do, instead of just admitting that we should probably just use a different technology. Now, we have wild exploit chains like this that are possible because we keep adding crap to make HTML do things it was never meant to do. This is what happens when you combine two completely separate and highly open ended technologies together. Of course you can do some really wacky stuff, especially when the combination of the two technologies was not expected, intended, or standardized. But we loved them so much that we forced them together into unholy matrimony. And we just can't get enough. We just have to keep coming up with newer, hotter and wilder ways to get some JS all up in our HTML.
And on the other side we have C++, which sort of looks like it was developed for the purpose of making complex and robust applications, as were the common frameworks, but which is good for spectacularly dangerous exploits, probably more so than dynamic HTML land.
I still feel that JS vulnerabilities are more worrisome because they are usually due to bad config and build tools/frameworks with bugs. These vulnerabilities would then affect all projects that use them.
C++ doesn't become vulnerable until you write or use bad code.
@@ryangrogan6839 Oh but where there's code, there's bugs, it's inevitable. There's memory safety bugs in every C and C++ framework that you're sitting atop right now, this can be guaranteed. It's not like buggy code necessarily smells, bad code routinely passes reviews and gets examined hundreds of times without something being noticed wrong, because in other possible contexts the same code is correct.
My two favourite cases have been both caused by iterator invalidationm, both caused month of hunting because the outcome was wrong logic which wasn't legible in debugger, because at the point of invocation it was "correct", it was just dealing with data that could no longer exist but looked valid, and occasional malloc crashes elsewhere in the program.
Perfectly explained and very interesting! The pronunciation of "processes" is quite jarring though.
How can someone even find such a thing mann 🤯it sounds too difficult...but nice explanation ❤
Some of these bug hunters are on another level. Thanks for watching ❤
Hey im on indows trying to get git to work defender sais its a threat when i install it and git still dont run correct any ideas?
This video is just perfect
you are perfect
This just makes me feel that my instinct to never use any desktop JS app was 100% correct.
Yes, because running an app that runs JS in an insolated environment is much more dangerous than a .exe file that has direct and complete access to all win APIs.
This is pure regurgitating of popular slogans like "js bad".
@@laztheripperexactly, I hear people complain all the time about this stuff, I preach for more low level access (like having a sandboxed file system) to websites installed as webapps (with permissions prompted to the user) and every time I'm answered with "but that's dangerous!!!" Yeah because let's just ignore the fact everyone just downloads random exe files that have complete access to your OS
The problem is that if you want to produce a desktop app that does anything useful then you have to provide access to the underlying system anyway - and that's an issue when dealing with a language that was designed with the underlying assumption that it was running in an ephemeral isolated context where nothing it does actually matters. It's also extremely hard to carry out static analysis on, and has led to the spread of the incredibly dangerous idea that code that passes the tests is "correct". @@laztheripper
@@laztheripper "Yes, because running an app that runs JS in an insolated environment is much more dangerous than a .exe "
As you can see - yes. In a native application, you have no way for the displayed text in the control to call scripts. You don't need to sanitize anything.
@@laztheripper actually yes, Js bad. You cant XSS a native app that doesnt have scripting…
I work in IT and I hate Teams app with great passion. Actually, ANY app or a script that auto-launches itself in window mode by default.
I would simply not compile chat messages as an Angular template, because the template compiler is designed with trusted input in mind.
Nice video. Sub well earned.
thanks!
Lol backdoor was all ready there
It doesn’t surprise me that teams was the weak link. shortly before the venerability was found, a teams crash corrupted my user data to the point that i had to re install windows
I wonder why the Teams main process would have unlimited access to system calls. I would think it should run in a more limited mode, i.e. not as administrator. Using one of the examples in the video, I cannot think of any reason why the Teams main process should ever be allowed to shutdown the computer. Restricting the Teams main process to be limited would by no means be a cure-all. However, it would help to limit possible damage when bugs like this are exploited.
Man it's Microsoft, it's invasive!
Idk if you know but every single application can run "system calls". It's how it runs to begin with.
@@SammysapphiraThere are different privileges. Some of the most basic privileges allow programs to allocate memory or write files. More sensitive privileges allow a program to make changes to the registry or shutdown the computer. So, yes, every program which runs must be allowed to do basic system calls like allocating memory. However, not all system calls are treated the same. Some system calls which can do more destructive things when used improperly are only allowed with the least restricted accounts (like Admin) or groups. That is how security models work. Not all system calls are or should ever be allowed for all programs.
"accident"
Feds accidentally left multiple bags of cash at an executives office as well
I have no idea what you are talking about, but it is interesting.
the least disasterous "accident" microsoft ever did
LOL
great content
love you
@@DanielBoctor 👦
The only thing I can think of when electron and discord are together is
Pls update electron for Linux
amazing content
The price tag attached and knowing now that is one of the highest bounties is sad. I am very surprised how poorly this pays
These bugs seems deliberate
risksssss, attackssss 👀 nice video tho
not an accident, a data sales.
The multiprocess browser model was invented by Firefox through the e10s project, not Chrome
teams: runs on electron, but feels like its running on java
If electron was built on Deno, could this have been possible?
Awesome!
no you
IDK, teams still feels like there's a hole waiting to be poked at. Sandbox is both useful and dangerous if ever can exit the sandbox.
that's electron for you! 500 balloons on top of a cactus farm.
Oh no! lol@@shr4pnel
found this in my watch later, it blows my mind how the xz exploit which affected nobody became headlines over headlines despite never hitting prod/stable distros but windows has a exploit of this scale and not a soul is talking about it
3:55 thats why you cant copy and paste messages WITHOUT the time stamp.
RPC within a client when it was triggers on update they needed OMG 😳
7:52 "even if nodeIntegration is DISABLED" not enabled
AHHHHHHHHH I don't know how I didn't catch this! To be fair, you were the first to mention it out of 100k+ views. Good catch. I updated the pinned comment. Thanks!
Oh regex... nobody remembers you have to account for characters outside of your application if they break out of it.
How in the world one learns about these exploits , the guy is truly a genius hacker 😮
If you think for a second that every OS doesn't have back doors to the parent company or the government. Your special.
Perfect example of why I know have a dedicated language for the front-end and the server process is ideal.
Why are people making this more complex than needed?
Not surprised , Microsoft has been doing this since the earliest iteration of Windows.
Some languages have the concept of raw strings, wouldn't that put a definitive end to all of this madness?