![teams for mac teams for mac](https://www.imymac.com/images/mac/mac-internet-account.png)
![teams for mac teams for mac](https://huttree331.weebly.com/uploads/1/2/6/6/126698967/268730648.jpg)
Now that we’ve found various ways to talk to the service, we need to check if the XPC service offers any functionality that can be abused. Listing 5 – Dylibs in “Microsoft Teams.app” Applications/Microsoft Teams.app/Contents/Frameworks/Electron amework/Versions/A/Libraries/libffmpeg.dylib Applications/Microsoft Teams.app/Contents/Resources//node_modules/slimcore/bin/libRtmMediaStack.dylib Applications/Microsoft Teams.app/Contents/Resources//node_modules/slimcore/bin/libssScreenVVS2.dylib Applications/Microsoft Teams.app/Contents/Resources//node_modules/slimcore/bin/libRtmControl.dylib Applications/Microsoft Teams.app/Contents/Resources//node_modules/slimcore/bin/libskypert.dylib We can see that there are a number of dylibs in the app’s folder that are candidates for hijacking. This would allow us to inject a dylib into the application, and impersonate it when connecting to the XPC service.Īlthough the app’s folder is only writable by the root user, and we can’t replace any dylib inside, a malicious actor can still copy it to another location (e.g.: /tmp/) and inject into the copied application.
#TEAMS FOR MAC CODE#
Listing 4 – Code signature of “Microsoft Teams.app”Įven if audit_token is used, the MS Teams application is vulnerable to a dylib proxying attack because the .disable-library-validation entitlement is set to true. Sealed Resources version=2 rules=13 files=128Ĭom.Ĭom.-eventsĬom.allow-unsigned-executable-memoryĬom.disable-library-validationĬom.disable-executable-page-protection % codesign -dv -entitlements :- /Applications/Microsoft\ Teams.appĮxecutable=/Applications/Microsoft Teams.app/Contents/MacOS/Teamsįormat=app bundle with Mach-O thin (x86_64)ĬodeDirectory v=20500 size=383 flags=0x10000(runtime) hashes=3+5 location=embedded This method is normally responsible for controlling connection access to the XPC service. If we open this binary file with Hopper (or any other disassembler), we can start our investigation with the shouldAcceptNewConnection: method. This is a highly unusual location, as similar services are normally installed under the /Library/PrivilegedHelperTools/ directory. It contains a Mach service name, with the executable path /Applications/MicrosoftTeams.app/Contents/TeamsUpdaterDaemon.xpc/Contents/MacOS/TeamsUpdaterDaemon. Listing 1 – Microsoft Teams Updater launchd file Applications/Microsoft Teams.app/Contents/TeamsUpdaterDaemon.xpc/Contents/MacOS/TeamsUpdaterDaemon % sudo plutil -convert xml1 /Library/LaunchDaemons/.plist -o.