CVE-2024-41145
A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. A specially crafted library can leverage Teams’s access privileges, leading to a permission bypass. A malicious application could inject a library and start the program to trigger this vulnerability and then make use of the vulnerable application’s permissions.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Microsoft Teams (work or school) 24046.2812.2722.8193 for macOS
Teams (work or school) - https://www.microsoft.com/en/microsoft-teams
7.1 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE-347 - Improper Verification of Cryptographic Signature
Microsoft Teams is a comprehensive collaboration platform within the Microsoft 365 suite, designed to facilitate workplace communication, video conferencing, file sharing, and integration with other Office applications.
Microsoft Teams (work or school)’s Microsoft Teams WebView.app helper app, from now WebView, loads only one library:
$ otool -L "/Applications/Microsoft Teams (work or school).app/Contents/Helpers/Microsoft Teams WebView.app/Contents/MacOS/Microsoft Teams WebView"
/Applications/Microsoft Teams (work or school).app/Contents/Helpers/Microsoft Teams WebView.app/Contents/MacOS/Microsoft Teams WebView:
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1336.0.0)
The WebView has the following entitlements:
$ codesign -dv --entitlements - "/Applications/Microsoft Teams (work or school).app/Contents/Helpers/Microsoft Teams WebView.app"
Executable=/Applications/Microsoft Teams (work or school).app/Contents/Helpers/Microsoft Teams WebView.app/Contents/MacOS/Microsoft Teams WebView
Identifier=com.microsoft.teams2.helper
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=1735 flags=0x10000(runtime) hashes=43+7 location=embedded
Signature size=9013
Timestamp=29 Mar 2024 at 05:04:17
Info.plist entries=37
TeamIdentifier=UBF8T346G9
Runtime Version=14.0.0
Sealed Resources version=2 rules=13 files=88
Internal requirements count=1 size=188
[Dict]
[Key] com.apple.security.cs.allow-jit
[Value]
[Bool] true
[Key] com.apple.security.cs.disable-library-validation
[Value]
[Bool] true
[Key] com.apple.security.personal-information.location
[Value]
[Bool] true
The program is compiled using the Hardened Runtime, a security feature which aims, among other things, to prevent dynamically linked library hijacking.
However, the program includes this specific entitlement:
[Key] com.apple.security.cs.disable-library-validation
[Value]
[Bool] true
With this entitlement enabled, the program’s defense against library hijacking is effectively nullified, as it allows the loading of unsigned dynamic libraries. This is an issue because a malicious application could leverage WebView’s permissions without proper authorization.
In this specific case, even though this entitlement is active, there are no exploitable relative imports to perform a library injection. However, the WebView program imports a library at runtime via dlopen:
void _main(int32_t arg1, int64_t arg2)
{
[...]
uint64_t path_length = 0;
[...]
if (__NSGetExecutablePath(0, &path_length) != 0xffffffff)
{
[...]
}
else
{
int64_t new_ptr = wrapper_simil_malloc(((uint64_t)path_length));
if (__NSGetExecutablePath(new_ptr, &path_length) == 0)
{
int64_t likely_executable_path = _dirname(new_ptr);
char const* const rdi_12;
if (likely_executable_path == 0)
{
_strerror(((uint64_t)*(uint32_t*)___error()));
rdi_12 = "dirname %s: %s.";
}
else
{
int64_t executable_path_length = (_strlen(likely_executable_path) + 0x63);
int64_t edge_framework_path = wrapper_simil_malloc(executable_path_length);
_snprintf(edge_framework_path, executable_path_length, "%s/%s", likely_executable_path, "../Frameworks/Microsoft Edge Framework.framework/Versions/122.0.2365.103/Microsoft Edge Framework");
int64_t edge_framework_handler = _dlopen(edge_framework_path, 0x105);
if (edge_framework_handler != 0)
{
int64_t ChromeMain_func = _dlsym(edge_framework_handler, "ChromeMain");
if (ChromeMain_func == 0)
{
[...]
}
_exit(ChromeMain_func(((uint64_t)arg1), arg2));
/* no return */
}
[...]
}
[...]
}
[...]
}
[...]
}
Essentially, the code above composes the <WebView executable path>/../Frameworks/Microsoft Edge Framework.framework/Versions/122.0.2365.103/Microsoft Edge Framework path and uses dlopen to load the Microsoft Edge Framework library and call the ChromeMain function. Because the app is dynamically loading a library, the behavior is similar to loading a library via a relative import. This opens the possibility for library injection.
Even though the helper app has fewer entitlements than the main Microsoft Teams app, it can still request audio recording permission as they are inherited from the main app. If Microsoft Teams hasn’t already been granted this permission, the request will appear to the user as if it’s coming directly from Microsoft Teams, not the helper app.
Because of the use of the com.apple.security.cs.disable-library-validation entitlement set to true, a malicious application could perform a library injection in Microsoft Teams WebView.app without any special permission.
Microsoft fixed this issue in version 24124.1412.2911.3341
2024-05-13 - Vendor Disclosure
2024-06-07 - Vendor Patch Release
2024-08-19 - Public Release
Discovered by Francesco Benvenuto of Cisco Talos.