THANKS FOR WATCHING ❤ JOIN THE DISCORD! 👉 discord.gg/WYqqp7DXbm ** UPDATE ** A few commenters have been confused weather or not Teams was using the deprecated AngularJS, or the new Angular. The answer is that it was indeed using the deprecated AngularJS. I even referenced the exact line of code in my description, within the old AngularJS: github.com/angular/angular.js/blob/47bf11ee94664367a26ed8c91b9b586d3dd420f5/src/ng/compile.js#L1384 Why was it being used after deprecation? My guess is at good as yours. Perhaps they were in the process of shifting away from it, as this only happened 5 months after it was deprecated, but still... The only part that I messed up on was @ 5:53 - I used the wrong README. This should have been the old AngularJS. I stand corrected. Thanks to those who pointed this out! ** UPDATE 2 ** Thanks to @Possible1985 for pointing out that the sentence @ 7:52 should have read "even if nodeIntegration is DISABLED", not enabled. 👇 Let me know what type of bug bounty reports you would like to see next! 👇 Thank you for all of the support, I love all of you
When you started the section on xss with "but first", I thought you were about to do an ad read for a VPN. Thank you for not doing sponsored ad reads. That was a relief.
The issue is more to do with the fact that Teams is injecting dynamic, user generated HTML that then gets picked up by Angular. Basically what they're doing is akin to using "eval" on a user input string, and then running some sanitizer over that input to ensure the code contains nothing bad. That's extremely bad practice, for exactly the reasons outlined in the video.
That's as smart as it would be allowing to download and run arbitrary java code by passing a string to a logging library, right? Oh, dang, that happened as well...
@@omanshsharma6796They really are uncomplicated. This attack is more like a mathematical proof, each statement is understandable but having the insight about how to link them together is the clever bit.
@@DensityMatrix1 Working as intended... how hard is to block code injection via text chat? Crazy easy as you need specific and exact comands to do anything...
Uncomplicated? Not at all. Everything is easy and Uncomplicated once you know it. For you to pull a RCE, you really need to know what you are doing, you need to know the many different technologies and tricks to pull this off. This guy built a 0 day from scratch, step by step. That's talent, I'm not surprised he is Chinese. Those guys are built different.
It's only "uncomplicated" once you've seen it done. This is a pretty novel and slick chain of events, requiring locating some pretty tiny needles in a very big haystack.
Wow 150k for this is embarrassing. 270 MILLION high-quality targets with a zero click. 3 TRILLION company btw. No wonder people turn to crime, good thing dudes compass points north. Finding exploits is a thankless job...
it's both - in some ways it shows how 'secure' things are these days - no more drive-by from script kiddies dropping quotes into text boxes. But all steps in this chain were patched - so any new security break like this needs 4 new exploit steps. And there are prizes for discovering any 2 in a row (1 alone isn't worth that much). We're trying to setup an environment where the user can do whatever they want, without allowing them to do specific actions - the target is 'hard' to achieve :)
A lock doesn't stop criminals. It just deters criminals. Patching exploits and improving security makes it harder to do malicious things in these apps. It's a deterrent.
@@tylerbreau4544It's a very successful deterrent too. Outside of state-sponsored actors, people aren't going to bother finding these complicated exploits for malicious purposes because there's generally an easier way to make money.
Amazing, isn't it? You find a critical, 0-click RCE in a company's product and they pay you out 150k... Go to a company like NSO, sign a simplr NDA and you've got yourself 1.5 million...
I'm beginning to start my journey into cybersec and I couldn't have found this at a better time, amazing content my brother! As a side note, 150k seems stupidly low for the gravity of the exploit and how many people could've been affected by it
Now this guy should have got paid like 10 million at least. That would have encouraged more people to pursue stuff like this and find vulnerabilities. This bounty will actively discourage people which is kind of sad. Good thing this guy had a good heart/head.
The headline there is actually a bit misleading, lol. They didn't remain inside Apple for 3 months - they just assembled a team of pen testers to find bugs at Apple over a 3 month period. They found 55 total vulnerabilities over the time span. The reason why the bounty is listed so high is because it's a summation across the payouts for all 55 bugs. Here's the full report if you're interested: samcurry.net/hacking-apple/
55 in only three months does seem highly eligible for an efficiency-to-haul ratio bonus tbh Alone I have found about 20 in a single month, but thats across multiple vendors/manufacturers. (never been paid for them so theres no record to cite here)
@@komorebi8182 The URL has words in it, those words tell you what site it is. If you traverse to the main domain of a website they generally tell you what they are. In this case it's a guys blog.
@@petar0402 why do you hate them? do you want your browser, editor (notepad, intellij, eclipse, etc), office suite, preferences app to NOT OPEN as windows? [1/n]
i mean, i agree - there are some apps where openining minimized makes sense, sharex screenshot app, media players, overlay tools etc... but majority of apps don't fall in this category. [2/n]
This was an incredible video. Animations are fire, going back to the high-level steps of the exploit, and coloring the relevant code snippets were all incredibly helpful for me to follow along. Liked, subbed, did all the things. Hoping to see more from you.
Man this is one of my favourite comments ever, thank you ❤️. You're the first person so far to mention the semantic colour coding, which I pay a lot of attention to. I'm happy it helped, and glad to have you apart of the community!
They still use knockout js in azure it seems it takes quite a while for a service become in production and it seems like they move slow with replacing it.
@@anonymoususer6801 I mean sure, but like AngularJS has been softly deprecated 10 years ago, fully deprecated not long after, and the last release was 4 years ago...
It's all about profit margins, switching to a different code base is an additional cost. You'll be surprised how many legacy frameworks are still in use today even by large companies.
Your explanation of Angular's role in the exploit was confusing to me because it seemed that you conflated AngularJS, the ancient, deprecated framework with the modern versions of Angular. It is not clear which version they were using in the exploit. The screenshots showed version 1.8 which would be the old version, which in the year of that exploit would have been after end of life support. Feels very careless of Microsoft to continue using that of version so long...
Good question. They were indeed using the old AngularJS. I even linked the exact line I referenced in the video in the description: github.com/angular/angular.js/blob/47bf11ee94664367a26ed8c91b9b586d3dd420f5/src/ng/compile.js#L1384 Why was it being used after deprecation? My guess is at good as yours. Perhaps they were in the process of shifting away from it, as this only happened 5 months after it was deprecated, but still...
It’s actually quite simple but man you gotta really understand the know how’s to get in and get out. Genius to find this minuscule window from such a huge company. btw thank you for the simple explanation you made it easy to understand and amazing visuals.
I don't even to watch the video to tell you how microsoft backdoored millions of users. They sold them windows. Backdoored has multiple meanings when it comes to microsoft. Lol!
That was a great video, and your ad-read of SquareX was fantastic information. I've downloaded an extension for the very first time that I've seen on a video haha! I never thought I'd see the day when I'd be persuaded to install an extension.
Hey, just a heads-up the way the sponsor was mentioned in this video may have violated RUclips sponsoring disclosement guidelines since there wasn't a verbal disclosure and/or paid promotion notification. (See the "Add paid product placements, sponsorships & endorsements" RUclips Help page) I'm not a creator myself, but the way to properly do it would probably be one or more of the below two things, I think: - In RUclips Studio, under "More", clicking the “My video contains paid promotion like a product placement, sponsorship, or endorsement.” box will display a "Includes paid promotion" disclaimer at the first 10 seconds of the video - In the RUclips video content or description, I believe there's some requirement to verbally disclose the nature of the relationship with the sponsor. E.g. by saying "You may want to check out this video's sponsor, SquareX", or "This video was sponsored by SquareX", etc.
Thanks for bringing this up. The paid promotion option was always on, and the notification was always present at the start of the video. Are you sure you didn't see it? It shows up for me. In terms of the verbal disclosure though, can you find / link where it states that? I looked through the page that you referenced, and nowhere could I find any sort of verbal disclosure requirement. I genuinely appreciate your heads up, I just couldn't find the verbal requirement anywhere. Let me know if you can find this. Thank you
It's so baffling to me that developers decided to beat JS into a bloody pulp until it does what you want it to do, instead of just admitting that we should probably just use a different technology. Now, we have wild exploit chains like this that are possible because we keep adding crap to make HTML do things it was never meant to do. This is what happens when you combine two completely separate and highly open ended technologies together. Of course you can do some really wacky stuff, especially when the combination of the two technologies was not expected, intended, or standardized. But we loved them so much that we forced them together into unholy matrimony. And we just can't get enough. We just have to keep coming up with newer, hotter and wilder ways to get some JS all up in our HTML.
And on the other side we have C++, which sort of looks like it was developed for the purpose of making complex and robust applications, as were the common frameworks, but which is good for spectacularly dangerous exploits, probably more so than dynamic HTML land.
I still feel that JS vulnerabilities are more worrisome because they are usually due to bad config and build tools/frameworks with bugs. These vulnerabilities would then affect all projects that use them. C++ doesn't become vulnerable until you write or use bad code.
@@ryangrogan6839 Oh but where there's code, there's bugs, it's inevitable. There's memory safety bugs in every C and C++ framework that you're sitting atop right now, this can be guaranteed. It's not like buggy code necessarily smells, bad code routinely passes reviews and gets examined hundreds of times without something being noticed wrong, because in other possible contexts the same code is correct. My two favourite cases have been both caused by iterator invalidationm, both caused month of hunting because the outcome was wrong logic which wasn't legible in debugger, because at the point of invocation it was "correct", it was just dealing with data that could no longer exist but looked valid, and occasional malloc crashes elsewhere in the program.
I never understood the point of microsoft teams and microsoft forcing this program down my throat. I miss the days where we could uninstall and delete anything on our PC, but nah local administration means literally nothing even Super users.
What an incredible video! I really like your explanation - complete without being overbearing. Not a JS dev, but I still could pick up on the important details - so nice job! Will definitely check out the rest of your channel. Cheers!
I just love how they paid him €150.000 but it would have cost Microsoft multiple millions in legal fees. Not saying that he should have been paid more, but still kinda funny
@@dhootparmI agree, I am don't really agree with my past self here. There is no real price-tag for the safety, privacy and security of millions of people.
Great explanation, even with your pronunciation of JavaScript 😉. Your latest video on speculative execution was also amazing. Just discovered your channel today and subscribed. Looking forward to future videos as well as going through your previous ones.
Thanks for the informative and well made video. Perfect depth for the format. Maybe you could somehow link the source in the video. Like having a foot note number in a corner
This exploit have every single front-end exploit stereotype. XSS enabled by templating (why are we still doing this?), prototype polution (js lmao), Electron (of course), and improper configuration (what even is security anymore?). 10/10 perfect specimen. French kiss 👌
It wasn't a mistake but it has been done so poorly where everyone sets their own standards that it has turned into a very unsafe technology because there are 10001 ways to inject code everywhere. People talked shit about Windows DLLs back in the day, Javascript is on another level.
@@hgbugalouit would be nice to have something HTML-like, but much more secure for developing a native desktop app, which can also generate a web client. Yeah, that’s the reverse of what evolved, but maybe that’s what we need.
Thanks for this explanation, from what you've outlined I have to conclude that Microsoft doesn't have any processes in place to ensure their code meets even the most basic security requirements. Both of the exploits used are gross oversights. Makes you really wary of using anything Microsoft for sensitive applications.
Was the patch to fix this problem done in node.js (or a package it depended on) or Teams? If node.js, which version had this problem? Thanks for a great video.
Yes, because running an app that runs JS in an insolated environment is much more dangerous than a .exe file that has direct and complete access to all win APIs. This is pure regurgitating of popular slogans like "js bad".
@@laztheripperexactly, I hear people complain all the time about this stuff, I preach for more low level access (like having a sandboxed file system) to websites installed as webapps (with permissions prompted to the user) and every time I'm answered with "but that's dangerous!!!" Yeah because let's just ignore the fact everyone just downloads random exe files that have complete access to your OS
The problem is that if you want to produce a desktop app that does anything useful then you have to provide access to the underlying system anyway - and that's an issue when dealing with a language that was designed with the underlying assumption that it was running in an ephemeral isolated context where nothing it does actually matters. It's also extremely hard to carry out static analysis on, and has led to the spread of the incredibly dangerous idea that code that passes the tests is "correct". @@laztheripper
@@laztheripper "Yes, because running an app that runs JS in an insolated environment is much more dangerous than a .exe " As you can see - yes. In a native application, you have no way for the displayed text in the control to call scripts. You don't need to sanitize anything.
I'm surprised Microsoft only paid $150K for this bounty. I'm reasonably sure that there are more nefarious folks, maybe on the black web, maybe organized crime, maybe nation states, that would have paid much, much, much more.
I recently discovered that Electron most likely makes the operating system unstable, if you run more than one instance (such as when running Teams, Slack and Zoom that uses another framework but still Javascript) and let it run for some hours. Then all of them run out of memory and each start a garbage collection process that compete with each other as well as with the virtual memory swapout process of the operating system. Being a programmer that started with planetary orbit programmer in the late 1970:ies, I think that the modern program development have gone extremely awry, and that a JavaScript based web architecture as a basis for user programs is quite insane. It is a blind alley rather than a problem that will be solved.
@@hgbugalouI have a few laptops 8 gb of memory, noticed the same thing since many years ago, sometimes, I is so bad that it makes my system BSOD. Now, I tend to just run the most important instance of an electron app, and run the mobile versions of the other softwares on my phone instead
It's super interesting because if the exploit hadn't been reported responsibly, it could have been used on Elden Ring, one of the biggest games of all time, on hundreds of thousands of people simultaneously. It could have been one of the worst exploits in gaming
Even players sitting on the main menu were affected! (sorry I had to type the comment like this, YT kept deleting it over and over again. Might need to "sort by new" to see it all)
“In the early days of the Internet, browsers used a single program instance that was shared by all browser tabs…” Bro some of us remember when tabs didn’t even exist yet 😂
They actually come from a collection of "Visualising AI" animations from Google DeepMind. They are quite incredible indeed. Here is the source if you want to check it out! deepmind.google/discover/visualising-ai/
While I sincerely am playfully in a George Carlin manner. Agree an empathize with your overall point.... Using the forget that microcrap paid that amount of money long before they became a trillion dollar company. Thus, at first it did collestom, a decent chunk, but not business or life threatening chunk if that makes any sense.
LOL Anonymity online? Did you read their privacy policy? its horrendous, they basically get any data to send to any third party service whenever they want. What a joke, id expect a company that has that much control over your files to not be so hard and loose with data. How can you recommend using that?
I wonder why the Teams main process would have unlimited access to system calls. I would think it should run in a more limited mode, i.e. not as administrator. Using one of the examples in the video, I cannot think of any reason why the Teams main process should ever be allowed to shutdown the computer. Restricting the Teams main process to be limited would by no means be a cure-all. However, it would help to limit possible damage when bugs like this are exploited.
@@SammysapphiraThere are different privileges. Some of the most basic privileges allow programs to allocate memory or write files. More sensitive privileges allow a program to make changes to the registry or shutdown the computer. So, yes, every program which runs must be allowed to do basic system calls like allocating memory. However, not all system calls are treated the same. Some system calls which can do more destructive things when used improperly are only allowed with the least restricted accounts (like Admin) or groups. That is how security models work. Not all system calls are or should ever be allowed for all programs.
Using third-party libraries like that and hoping they don't have major vulnerabilities is unavoidable. It's how pretty much the entire Java ecosystem got hacked by Log4J having LDAP parsing enabled by default.
Saw a bunch of ignorant comments bitching about the voiceover diction. To those people, get over yourself - I bet you ain't so pretty. Actually the presentation was perfectly understandable, pleasant & engaging. As good as any TED talk speaker.
Just to be clear, there is only a single class here, "swift-*", as perceived by Teams. What we're doing is piggybacking the ng-init directive onto the swift-* class. The Teams sanitation library, sanitize-html, allows this, as it only sees a single class that conforms to the allow-list. The "ng-init: malicious" is NOT it's own class as perceived by Teams sanitation library sanitize-html, but WILL be recognized by Angular's own parsing engine. To answer your question, no, the space before the malicious expression is not needed. From Angular's perspective, the only thing required is the semicolon, as its RegEx uses a semicolon as a delimiter. In short, the space is not necessary, but the semi colon is. Hopefully this helps!
In 2014, Microsoft fired its internal testing team, and since then this has been reflected in the quality, because we normal users do the testing. Windows has become quite a disaster, security holes everywhere.
Sounds easy, but I bet it took him a bit of time to figure out each step. (1) was just terrible sloppy coding allow=swift-* and not checking for what * really is esp ';' - terrible. (2) not checking what classes exported e.g. ipc* - just horrid (3) contextapi allowed - wrong. (4) completely unrestricted process - bad bad bad. Terrible Microsoft.
Eh, that's a risk too. You might close yourself off to a widespread framework bug, but make an even more common web security blunder. Picking the right tool for the job is important and if a well maintained framework GENUINELY helps you reduce complexity, it can often be a better option. Using a framework for a simple static site though? Something simple? Def go with vanilla web tech, maybe a few libraries for complex tasks, polyfills, and styles.
Perfect example of why I know have a dedicated language for the front-end and the server process is ideal. Why are people making this more complex than needed?
Fascinating and terrifying, but this is 'just' talented humans discovering the exploit... Imagine AI explicitly tasked with taking down any software, any system. THIS is the future, and you can bet there are institutional players in certain countries doing exactly that.
That's a crazy low bounty. Teams is heavily used in secure defense environments thanks to Microsoft's GovCloud (basically a carbon copy of the normal aszure cloud staffed only by Americans, it's the only cloud provider that is allowed to store certain types of confidential government information). The damage this could have done is insane.
It doesn’t surprise me that teams was the weak link. shortly before the venerability was found, a teams crash corrupted my user data to the point that i had to re install windows
How is this a backdoor? This app had vulnerabilities and the bug bounty hunter found them and exploited them. Vulns, exploits, and backdoors are different things. Clickbait title ruins an otherwise good video.
![Eminem - Fuel (feat. JID) [Official Lyric Video]](http://i.ytimg.com/vi/t5H_CewqpKA/mqdefault.jpg)
THANKS FOR WATCHING ❤
JOIN THE DISCORD! 👉 discord.gg/WYqqp7DXbm
** UPDATE **
A few commenters have been confused weather or not Teams was using the deprecated AngularJS, or the new Angular. The answer is that it was indeed using the deprecated AngularJS.
I even referenced the exact line of code in my description, within the old AngularJS:
github.com/angular/angular.js/blob/47bf11ee94664367a26ed8c91b9b586d3dd420f5/src/ng/compile.js#L1384
Why was it being used after deprecation? My guess is at good as yours. Perhaps they were in the process of shifting away from it, as this only happened 5 months after it was deprecated, but still...
The only part that I messed up on was @ 5:53 - I used the wrong README. This should have been the old AngularJS. I stand corrected. Thanks to those who pointed this out!
** UPDATE 2 **
Thanks to @Possible1985 for pointing out that the sentence @ 7:52 should have read "even if nodeIntegration is DISABLED", not enabled.
👇 Let me know what type of bug bounty reports you would like to see next! 👇
Thank you for all of the support, I love all of you
I love people too 💓 💗 ❤️ 💕 💛 ♥️ 💓 💗
this the shocker that they made such a big deal about using this malware over c-19
Angugar?
When you started the section on xss with "but first", I thought you were about to do an ad read for a VPN. Thank you for not doing sponsored ad reads. That was a relief.
Someone really decided to make it possible to embed JavaScript in a CSS class name
YES. Would you expect anything less stupid from Google?
The issue is more to do with the fact that Teams is injecting dynamic, user generated HTML that then gets picked up by Angular. Basically what they're doing is akin to using "eval" on a user input string, and then running some sanitizer over that input to ensure the code contains nothing bad. That's extremely bad practice, for exactly the reasons outlined in the video.
That's as smart as it would be allowing to download and run arbitrary java code by passing a string to a logging library, right? Oh, dang, that happened as well...
And that’s why everyone stopped using Angular in 2015!
One of React’s main advantages has always been its protection against XSS :)
How the HELL?😊
I'm surprised by how uncomplicated each singular step is but how much persistence is needed to pull the entire attack off...
Uncomplicated is a subjective term
@@omanshsharma6796They really are uncomplicated. This attack is more like a mathematical proof, each statement is understandable but having the insight about how to link them together is the clever bit.
@@DensityMatrix1 Working as intended... how hard is to block code injection via text chat? Crazy easy as you need specific and exact comands to do anything...
Uncomplicated? Not at all. Everything is easy and Uncomplicated once you know it. For you to pull a RCE, you really need to know what you are doing, you need to know the many different technologies and tricks to pull this off. This guy built a 0 day from scratch, step by step.
That's talent, I'm not surprised he is Chinese. Those guys are built different.
It's only "uncomplicated" once you've seen it done. This is a pretty novel and slick chain of events, requiring locating some pretty tiny needles in a very big haystack.
Wow 150k for this is embarrassing. 270 MILLION high-quality targets with a zero click. 3 TRILLION company btw. No wonder people turn to crime, good thing dudes compass points north. Finding exploits is a thankless job...
I agree with you on this. The bounty definitely should have been far higher for the impact of the exploit 🤷
around 0.5 dollar per 1000 users
@@schwingedeshaehers wow i think an ad would make more money than that
Shame on M$ 😅
They should pay $1m at least.
If he sold this to any government he would've had a major pay day
I could not pull this off if my life depended on it
Sounds like something a hacker would say
No one could that is why it is valued at 150k $
for real I could have a thousand years and not figure it out
git gud
@@diaahanna8882 just a matter of time spent
150k is among the largest bug bounties? Wow, so now I know nothing is secure.
> used electron
I literally paused the video at this point 😅
The corporate obsession with JS will never cease to amaze me
@@mgord9518seriously.
Everyone it too busy trying to change things that most people don't think about instead of fixing bugs.
modern exploit chains are pure insanity. it really makes you wonder whether all those mitigations are helping or just delaying the inevitable.
it's both - in some ways it shows how 'secure' things are these days - no more drive-by from script kiddies dropping quotes into text boxes. But all steps in this chain were patched - so any new security break like this needs 4 new exploit steps. And there are prizes for discovering any 2 in a row (1 alone isn't worth that much).
We're trying to setup an environment where the user can do whatever they want, without allowing them to do specific actions - the target is 'hard' to achieve :)
A lock doesn't stop criminals. It just deters criminals.
Patching exploits and improving security makes it harder to do malicious things in these apps. It's a deterrent.
@@tylerbreau4544It's a very successful deterrent too. Outside of state-sponsored actors, people aren't going to bother finding these complicated exploits for malicious purposes because there's generally an easier way to make money.
Amazing, isn't it?
You find a critical, 0-click RCE in a company's product and they pay you out 150k...
Go to a company like NSO, sign a simplr NDA and you've got yourself 1.5 million...
Check the history, we're talking about Microsoft!
I'm beginning to start my journey into cybersec and I couldn't have found this at a better time, amazing content my brother! As a side note, 150k seems stupidly low for the gravity of the exploit and how many people could've been affected by it
And yet one of the biggest payouts ever.
cybersex?
@@stellviahohenheim Amen homie
Now this guy should have got paid like 10 million at least. That would have encouraged more people to pursue stuff like this and find vulnerabilities. This bounty will actively discourage people which is kind of sad. Good thing this guy had a good heart/head.
00:30 you should cover the highest paid bug bounty on that list, about staying in Apple for 3 months.
Seems incredibly interesting!
The headline there is actually a bit misleading, lol. They didn't remain inside Apple for 3 months - they just assembled a team of pen testers to find bugs at Apple over a 3 month period. They found 55 total vulnerabilities over the time span. The reason why the bounty is listed so high is because it's a summation across the payouts for all 55 bugs.
Here's the full report if you're interested:
samcurry.net/hacking-apple/
55 in only three months does seem highly eligible for an efficiency-to-haul ratio bonus tbh
Alone I have found about 20 in a single month, but thats across multiple vendors/manufacturers. (never been paid for them so theres no record to cite here)
@@komorebi8182 The URL has words in it, those words tell you what site it is. If you traverse to the main domain of a website they generally tell you what they are. In this case it's a guys blog.
@@komorebi8182oops, didn't see this till now! It's called pentester.land - pretty awesome site.
I work in IT and I hate Teams app with great passion. Actually, ANY app or a script that auto-launches itself in window mode by default.
what does that mean? what is window mode?
> _"I hate .... ANY app or a script that auto-launches itself in window mode by default"_
@@yash1152 Any app/script that opens it's window that is not minimized or in system tray.
@@petar0402 why do you hate them? do you want your browser, editor (notepad, intellij, eclipse, etc), office suite, preferences app to NOT OPEN as windows?
[1/n]
i mean, i agree - there are some apps where openining minimized makes sense, sharex screenshot app, media players, overlay tools etc... but majority of apps don't fall in this category.
[2/n]
> _"Any app/script that opens it's window that is not minimized or in system tray."_
[3/3]
This was an incredible video. Animations are fire, going back to the high-level steps of the exploit, and coloring the relevant code snippets were all incredibly helpful for me to follow along. Liked, subbed, did all the things. Hoping to see more from you.
Man this is one of my favourite comments ever, thank you ❤️. You're the first person so far to mention the semantic colour coding, which I pay a lot of attention to. I'm happy it helped, and glad to have you apart of the community!
@@DanielBoctor semantic colour coding is life, in work and in your vids. very nice touch.
Just the right amount of technical details while providing a great overall narrative. Nice work.
Thanks for the support! Means a lot
Dead ass this is better than straight up bashing Microsoft and saying go to Linux go to Linux as it’s the underlying that matters
The fact that they use AngularJS instead of Angular >=2 is baffling
You will be surprised by how degraded technologies these MNCs use. It requires them time to overhaul their system.
They still use knockout js in azure it seems it takes quite a while for a service become in production and it seems like they move slow with replacing it.
@@anonymoususer6801 I mean sure, but like AngularJS has been softly deprecated 10 years ago, fully deprecated not long after, and the last release was 4 years ago...
And that they sanitize user input a little and then just treat it as dynamic markup, that’s the insane part to me
It's all about profit margins, switching to a different code base is an additional cost. You'll be surprised how many legacy frameworks are still in use today even by large companies.
AngularJs in teams? Lordy.
Thank you for taking the time to say and make all these graphics! Your hard work doesnt go unnoticed sir!
Thank you so much! The support means a lot ❤️. Thank you for the recognition, and for being apart of the channel 😊
Masato Kinugawa is a legend, with Gareth Heyes those are the best XSS hunters i know. 150k$ well deserved !
Your explanation of Angular's role in the exploit was confusing to me because it seemed that you conflated AngularJS, the ancient, deprecated framework with the modern versions of Angular. It is not clear which version they were using in the exploit. The screenshots showed version 1.8 which would be the old version, which in the year of that exploit would have been after end of life support. Feels very careless of Microsoft to continue using that of version so long...
Good question. They were indeed using the old AngularJS. I even linked the exact line I referenced in the video in the description:
github.com/angular/angular.js/blob/47bf11ee94664367a26ed8c91b9b586d3dd420f5/src/ng/compile.js#L1384
Why was it being used after deprecation? My guess is at good as yours. Perhaps they were in the process of shifting away from it, as this only happened 5 months after it was deprecated, but still...
Thanks for the clarification!
of course
It’s actually quite simple but man you gotta really understand the know how’s to get in and get out. Genius to find this minuscule window from such a huge company. btw thank you for the simple explanation you made it easy to understand and amazing visuals.
glad it was helpful
That took an impressively detailed knowledge of all the applied frameworks to pull off. Kudos to them!
Awesome video Dan! Always delivering high quality content
Thank you Jacob!!!
Eletron is an opensource program with it's own org and framework. The code is hosted on github, it is not a github project. That matters.
You are right, however it was originally developed by GitHub. They transferred Electron's ownership from GitHub to the OpenJS Foundation in ~2019.
These videos are so informative and well made, I can’t believe you only have 15k subs.
You’re gonna make it big
Thank you for the support! I appreciate it ❤️
I don't even to watch the video to tell you how microsoft backdoored millions of users. They sold them windows. Backdoored has multiple meanings when it comes to microsoft. Lol!
That was a great video, and your ad-read of SquareX was fantastic information. I've downloaded an extension for the very first time that I've seen on a video haha! I never thought I'd see the day when I'd be persuaded to install an extension.
haha, that's awesome to hear!
@@DanielBoctoryeah I've used it since too haha!
bruh who is this guy
dude came out of nowhere and is making this clutch content
LOL, this is truly a great comment
Hey, just a heads-up the way the sponsor was mentioned in this video may have violated RUclips sponsoring disclosement guidelines since there wasn't a verbal disclosure and/or paid promotion notification. (See the "Add paid product placements, sponsorships & endorsements" RUclips Help page)
I'm not a creator myself, but the way to properly do it would probably be one or more of the below two things, I think:
- In RUclips Studio, under "More", clicking the “My video contains paid promotion like a product placement, sponsorship, or endorsement.” box will display a "Includes paid promotion" disclaimer at the first 10 seconds of the video
- In the RUclips video content or description, I believe there's some requirement to verbally disclose the nature of the relationship with the sponsor. E.g. by saying "You may want to check out this video's sponsor, SquareX", or "This video was sponsored by SquareX", etc.
Thanks for bringing this up. The paid promotion option was always on, and the notification was always present at the start of the video. Are you sure you didn't see it? It shows up for me.
In terms of the verbal disclosure though, can you find / link where it states that? I looked through the page that you referenced, and nowhere could I find any sort of verbal disclosure requirement. I genuinely appreciate your heads up, I just couldn't find the verbal requirement anywhere. Let me know if you can find this. Thank you
It's so baffling to me that developers decided to beat JS into a bloody pulp until it does what you want it to do, instead of just admitting that we should probably just use a different technology. Now, we have wild exploit chains like this that are possible because we keep adding crap to make HTML do things it was never meant to do. This is what happens when you combine two completely separate and highly open ended technologies together. Of course you can do some really wacky stuff, especially when the combination of the two technologies was not expected, intended, or standardized. But we loved them so much that we forced them together into unholy matrimony. And we just can't get enough. We just have to keep coming up with newer, hotter and wilder ways to get some JS all up in our HTML.
And on the other side we have C++, which sort of looks like it was developed for the purpose of making complex and robust applications, as were the common frameworks, but which is good for spectacularly dangerous exploits, probably more so than dynamic HTML land.
I still feel that JS vulnerabilities are more worrisome because they are usually due to bad config and build tools/frameworks with bugs. These vulnerabilities would then affect all projects that use them.
C++ doesn't become vulnerable until you write or use bad code.
@@ryangrogan6839 Oh but where there's code, there's bugs, it's inevitable. There's memory safety bugs in every C and C++ framework that you're sitting atop right now, this can be guaranteed. It's not like buggy code necessarily smells, bad code routinely passes reviews and gets examined hundreds of times without something being noticed wrong, because in other possible contexts the same code is correct.
My two favourite cases have been both caused by iterator invalidationm, both caused month of hunting because the outcome was wrong logic which wasn't legible in debugger, because at the point of invocation it was "correct", it was just dealing with data that could no longer exist but looked valid, and occasional malloc crashes elsewhere in the program.
Thank you for a clear, step by step illustration of how each step of the exploit worked.
I never understood the point of microsoft teams and microsoft forcing this program down my throat. I miss the days where we could uninstall and delete anything on our PC, but nah local administration means literally nothing even Super users.
6:38 love how you use Lemino's music for bgm ❤
hes an inspiration to me
$150k ain’t much of a bounty for something that could topple your entire company.
Accidentally? That sounds more like a security vulnerability than a backdoor.
This is such a well made video. Excellently explained!
Glad you liked it!
"accidentally" 😂😂😂 absolute commedian
What an incredible video! I really like your explanation - complete without being overbearing. Not a JS dev, but I still could pick up on the important details - so nice job!
Will definitely check out the rest of your channel. Cheers!
Thanks for watching! Glad you liked it
Awesome explanation. This should reach more people.
You are an awesome fella. Thank you for the support! I'm glad that you enjoyed ❤️
I just love how they paid him €150.000 but it would have cost Microsoft multiple millions in legal fees.
Not saying that he should have been paid more, but still kinda funny
He could have got at least double that on the dark web
@@thewhitefalcon8539he could get even more if he sold that exploit to usa or russia
This guy should have got paid like 10 million. This could have compromised so many people so quickly.
@@dhootparmI agree, I am don't really agree with my past self here. There is no real price-tag for the safety, privacy and security of millions of people.
Great explanation, even with your pronunciation of JavaScript 😉. Your latest video on speculative execution was also amazing. Just discovered your channel today and subscribed. Looking forward to future videos as well as going through your previous ones.
Thank you for the support! I appreciate it. Glad you're finding my content interesting
goddamn regex wildcard made this possible
Fucking love regex man. Terrible to write, worse to read. Has the security of swiss cheese. And we just CANNOT help ourselves.
@@Selsatolet's use a LALR parser instead!
Thanks for the informative and well made video. Perfect depth for the format. Maybe you could somehow link the source in the video. Like having a foot note number in a corner
This exploit have every single front-end exploit stereotype. XSS enabled by templating (why are we still doing this?), prototype polution (js lmao), Electron (of course), and improper configuration (what even is security anymore?).
10/10 perfect specimen. French kiss 👌
as always, very good quality!
Glad you think so! Thanks for the support 😊
I have no idea what you are talking about, but it is interesting.
Fairly sure this is how Data got the Borg cube to go to sleep.
"accident"
Feds accidentally left multiple bags of cash at an executives office as well
Thank god you stopped the upspeak lol
Another amazing video, keep up the fantastic work!
Will do! Thanks for the support!
what im getting from this is that electron and every other webapp technology was a mistake
It wasn't a mistake but it has been done so poorly where everyone sets their own standards that it has turned into a very unsafe technology because there are 10001 ways to inject code everywhere. People talked shit about Windows DLLs back in the day, Javascript is on another level.
Web apps are great inside browsers. Not so much trying to shoe horn them in to a desktop native app framework.
@@hgbugalouit would be nice to have something HTML-like, but much more secure for developing a native desktop app, which can also generate a web client. Yeah, that’s the reverse of what evolved, but maybe that’s what we need.
I wish you named your channel «Doctor Boctor»
You have no idea how many people call me that irl lol. I might actually change the name of the channel one day.
Thanks for this explanation, from what you've outlined I have to conclude that Microsoft doesn't have any processes in place to ensure their code meets even the most basic security requirements. Both of the exploits used are gross oversights. Makes you really wary of using anything Microsoft for sensitive applications.
Was the patch to fix this problem done in node.js (or a package it depended on) or Teams? If node.js, which version had this problem? Thanks for a great video.
this was *not* an issue with Nodejs itself
If that was your conclusion I question if you actually followed along the video.
This just makes me feel that my instinct to never use any desktop JS app was 100% correct.
Yes, because running an app that runs JS in an insolated environment is much more dangerous than a .exe file that has direct and complete access to all win APIs.
This is pure regurgitating of popular slogans like "js bad".
@@laztheripperexactly, I hear people complain all the time about this stuff, I preach for more low level access (like having a sandboxed file system) to websites installed as webapps (with permissions prompted to the user) and every time I'm answered with "but that's dangerous!!!" Yeah because let's just ignore the fact everyone just downloads random exe files that have complete access to your OS
The problem is that if you want to produce a desktop app that does anything useful then you have to provide access to the underlying system anyway - and that's an issue when dealing with a language that was designed with the underlying assumption that it was running in an ephemeral isolated context where nothing it does actually matters. It's also extremely hard to carry out static analysis on, and has led to the spread of the incredibly dangerous idea that code that passes the tests is "correct". @@laztheripper
@@laztheripper "Yes, because running an app that runs JS in an insolated environment is much more dangerous than a .exe "
As you can see - yes. In a native application, you have no way for the displayed text in the control to call scripts. You don't need to sanitize anything.
@@laztheripper actually yes, Js bad. You cant XSS a native app that doesnt have scripting…
Lol backdoor was all ready there
Amazing vid and explanation, mate! Love the channel!
Thanks for watching! Glad you liked it
I'm surprised Microsoft only paid $150K for this bounty. I'm reasonably sure that there are more nefarious folks, maybe on the black web, maybe organized crime, maybe nation states, that would have paid much, much, much more.
I don't understand most of these code lines, but I still enjoy watching this, because of clear graphics explaining what's going on... 😅
I canot even Teams get render html in chat messages.
Did they generally remove html support in chat messages to close down this vector?
That was an awesome explanation
not as awesome as you
I recently discovered that Electron most likely makes the operating system unstable, if you run more than one instance (such as when running Teams, Slack and Zoom that uses another framework but still Javascript) and let it run for some hours. Then all of them run out of memory and each start a garbage collection process that compete with each other as well as with the virtual memory swapout process of the operating system. Being a programmer that started with planetary orbit programmer in the late 1970:ies, I think that the modern program development have gone extremely awry, and that a JavaScript based web architecture as a basis for user programs is quite insane. It is a blind alley rather than a problem that will be solved.
I use teams, discord, and zoom daily. I will have to monitor this. I have 96 gb of ram in my machine so I may be masking a problem.
@@hgbugalouI have a few laptops 8 gb of memory, noticed the same thing since many years ago, sometimes, I is so bad that it makes my system BSOD. Now, I tend to just run the most important instance of an electron app, and run the mobile versions of the other softwares on my phone instead
Hey, love these videos! Can you make one about the RCE exploit that shut down the servers of all Souls games developed by Fromsoftware?
It's super interesting because if the exploit hadn't been reported responsibly, it could have been used on Elden Ring, one of the biggest games of all time, on hundreds of thousands of people simultaneously. It could have been one of the worst exploits in gaming
It did not even require P2P connection, as it exploited the game's servers. Tremwil wrote a great explanation on gitthub
Even players sitting on the main menu were affected!
(sorry I had to type the comment like this, YT kept deleting it over and over again. Might need to "sort by new" to see it all)
This is one of the reasons I say you should never use wildcards in any regex in code, and anyone who does or suggests it should be fired immediately.
“In the early days of the Internet, browsers used a single program instance that was shared by all browser tabs…”
Bro some of us remember when tabs didn’t even exist yet 😂
What are those background videos? The strange geometry is very nice, where can I find them?
They actually come from a collection of "Visualising AI" animations from Google DeepMind. They are quite incredible indeed. Here is the source if you want to check it out!
deepmind.google/discover/visualising-ai/
@@DanielBoctor thanks!
the least disasterous "accident" microsoft ever did
LOL
Just 150K for this? Turn to crime people... the TRILLION dollar company paid literally nothing for this
While I sincerely am playfully in a George Carlin manner. Agree an empathize with your overall point.... Using the forget that microcrap paid that amount of money long before they became a trillion dollar company.
Thus, at first it did collestom, a decent chunk, but not business or life threatening chunk if that makes any sense.
LOL Anonymity online? Did you read their privacy policy? its horrendous, they basically get any data to send to any third party service whenever they want. What a joke, id expect a company that has that much control over your files to not be so hard and loose with data. How can you recommend using that?
I wonder why the Teams main process would have unlimited access to system calls. I would think it should run in a more limited mode, i.e. not as administrator. Using one of the examples in the video, I cannot think of any reason why the Teams main process should ever be allowed to shutdown the computer. Restricting the Teams main process to be limited would by no means be a cure-all. However, it would help to limit possible damage when bugs like this are exploited.
Man it's Microsoft, it's invasive!
Idk if you know but every single application can run "system calls". It's how it runs to begin with.
@@SammysapphiraThere are different privileges. Some of the most basic privileges allow programs to allocate memory or write files. More sensitive privileges allow a program to make changes to the registry or shutdown the computer. So, yes, every program which runs must be allowed to do basic system calls like allocating memory. However, not all system calls are treated the same. Some system calls which can do more destructive things when used improperly are only allowed with the least restricted accounts (like Admin) or groups. That is how security models work. Not all system calls are or should ever be allowed for all programs.
Using third-party libraries like that and hoping they don't have major vulnerabilities is unavoidable. It's how pretty much the entire Java ecosystem got hacked by Log4J having LDAP parsing enabled by default.
All because someone thought JS on the server side was a good idea.
Allowlist?
What a processsss to pull thisss one of
Saw a bunch of ignorant comments bitching about the voiceover diction. To those people, get over yourself - I bet you ain't so pretty.
Actually the presentation was perfectly understandable, pleasant & engaging. As good as any TED talk speaker.
Thank you for this. I'm still new to making videos, and I get pretty nervous when I record myself. Thank you for the support ❤️
06:29 is "malicious" separate class because there is space before?
Just to be clear, there is only a single class here, "swift-*", as perceived by Teams.
What we're doing is piggybacking the ng-init directive onto the swift-* class. The Teams sanitation library, sanitize-html, allows this, as it only sees a single class that conforms to the allow-list. The "ng-init: malicious" is NOT it's own class as perceived by Teams sanitation library sanitize-html, but WILL be recognized by Angular's own parsing engine.
To answer your question, no, the space before the malicious expression is not needed. From Angular's perspective, the only thing required is the semicolon, as its RegEx uses a semicolon as a delimiter. In short, the space is not necessary, but the semi colon is.
Hopefully this helps!
Not surprised , Microsoft has been doing this since the earliest iteration of Windows.
In 2014, Microsoft fired its internal testing team, and since then this has been reflected in the quality, because we normal users do the testing. Windows has become quite a disaster, security holes everywhere.
0:20 Why did you put slashes instead hyphens into that command?
If you write any clientside app with its backend in javascript, you deserve every CVE you will inevitably suffer from
The price tag attached and knowing now that is one of the highest bounties is sad. I am very surprised how poorly this pays
The more complex our apps get, the larger the attack surfaces becomes... And it's getting more and more complicated, each and every day!
Sounds easy, but I bet it took him a bit of time to figure out each step. (1) was just terrible sloppy coding allow=swift-* and not checking for what * really is esp ';' - terrible. (2) not checking what classes exported e.g. ipc* - just horrid (3) contextapi allowed - wrong. (4) completely unrestricted process - bad bad bad. Terrible Microsoft.
Using Frameworks is always a risk. Better write independent, but clients don't give you time and money to do so.
Eh, that's a risk too. You might close yourself off to a widespread framework bug, but make an even more common web security blunder.
Picking the right tool for the job is important and if a well maintained framework GENUINELY helps you reduce complexity, it can often be a better option.
Using a framework for a simple static site though? Something simple? Def go with vanilla web tech, maybe a few libraries for complex tasks, polyfills, and styles.
Very nicely explained
Thanks!
I would simply not compile chat messages as an Angular template, because the template compiler is designed with trusted input in mind.
What video editing program do you use?
@@justlisten6479DaVinci Resolve
@@DanielBoctor where can I find templates like these that you are using please?
@@justlisten6479 I don't use any templates. I created everything myself.
Perfect example of why I know have a dedicated language for the front-end and the server process is ideal.
Why are people making this more complex than needed?
Really well done video
150k is a steal for such a privilege escalation on such a rich user base!
Fascinating and terrifying, but this is 'just' talented humans discovering the exploit...
Imagine AI explicitly tasked with taking down any software, any system. THIS is the future, and you can bet there are institutional players in certain countries doing exactly that.
If you think for a second that every OS doesn't have back doors to the parent company or the government. Your special.
Perfectly explained and very interesting! The pronunciation of "processes" is quite jarring though.
These bugs seems deliberate
The multiprocess browser model was invented by Firefox through the e10s project, not Chrome
teams: runs on electron, but feels like its running on java
That's a crazy low bounty. Teams is heavily used in secure defense environments thanks to Microsoft's GovCloud (basically a carbon copy of the normal aszure cloud staffed only by Americans, it's the only cloud provider that is allowed to store certain types of confidential government information).
The damage this could have done is insane.
@5:55 the screenshot you are showing is wrong. Its of Angular but not of Angular JS.
It doesn’t surprise me that teams was the weak link. shortly before the venerability was found, a teams crash corrupted my user data to the point that i had to re install windows
One of my first uses of psexec was remotely opening calculator on a coworker's desktop!
How is this a backdoor? This app had vulnerabilities and the bug bounty hunter found them and exploited them. Vulns, exploits, and backdoors are different things.
Clickbait title ruins an otherwise good video.