Blog: Vulnerability Advisory

You can’t stop me. MS Teams session hijacking and bypass

Jan Masters 20 Sep 2020

How cleartext session tokens are stored in an unsecured directory that can be stolen and used to impersonate a Teams user.

TL;DR

Microsoft Teams stores unencrypted session tokens and cached conversations in users’ roaming AppData, which can be used by an attacker to gain access to the victim’s Teams account without having to authenticate or contend with potential conditional access policies.

This is a design choice by Microsoft as the folder is located in \AppData\Roaming\, which is a folder designed to be synchronised with folder redirection and similar technologies for user convenience. Imagine the frustration IT departments would be faced with if their Citrix users had to log into Teams every single morning. You can almost hear the angry mob with torches and pitchforks.

We leveraged this on a client engagement when I compromised a central file server, which held users’ roaming AppData.

Figure 1 – Compromised file server

 

Before I kick off, credit where credit is due. Vectra’s research into the Teams cleartext auth token issue first broke via BleepingComputer, and covers the ins-and-outs of Microsoft’s (soon to be sunsetted) Electron framework. This blog will cover this topic from a different perspective with more of an emphasis on exploitation and it’s potential use cases.

Introduction

Microsoft Teams stores a multitude of files within the following file path C:\Users\UserNameHere\AppData\Roaming\Microsoft\Teams, which includes configuration files, preferences, log files, application related files, and cleartext session tokens within an SQLite file.

Figure 2 – Sample content from Cookies database

 

The cookie sqlite database contains the following cookies:

Host Cookie
.asm.skype.com platformid_asm
.asm.skype.com skypetoken_asm
.asyncgw.teams.microsoft.com platformid_asm
.asyncgw.teams.microsoft.com skypetoken_asm
.bing.com MUID
.c.bing.com SRM_B
.login.microsoftonline.com CCState
.login.microsoftonline.com ESTSAUTHPERSISTENT
.login.microsoftonline.com ch
.office.com MUID
.officeapps.live.com timeZoneId
.tasks.office.com PlannerWebSessionId
.teams.microsoft.com SSOAUTHCOOKIE
.teams.microsoft.com authtoken
.teams.microsoft.com clienttype
.teams.microsoft.com platformid_asm
.teams.microsoft.com skypetoken_asm
.teams.microsoft.com tenantId
.youtube.com CONSENT
.youtube.com VISITOR_INFO1_LIVE
apps.powerapps.com PACookieRolloutBucketProd
forms.office.com MSFPC
login.microsoftonline.com SSOCOOKIEPULLED
login.microsoftonline.com buid
login.microsoftonline.com fpc
outlook.office.com MicrosoftApplicationsTelemetryDeviceId
outlook.office.com MicrosoftApplicationsTelemetryFirstLaunchTime
pentestpartners.sharepoint.com MicrosoftApplicationsTelemetryDeviceId
pentestpartners.sharepoint.com MicrosoftApplicationsTelemetryFirstLaunchTime
s02-emea.prd.attend.teams.microsoft.com MicrosoftApplicationsTelemetryDeviceId
s02-emea.prd.attend.teams.microsoft.com MicrosoftApplicationsTelemetryFirstLaunchTime
s03-emea.prd.attend.teams.microsoft.com MicrosoftApplicationsTelemetryDeviceId
s03-emea.prd.attend.teams.microsoft.com MicrosoftApplicationsTelemetryFirstLaunchTime
shared.officeapps.live.com DcLcid
tasks.teams.microsoft.com ai_user
tasks.teams.microsoft.com MicrosoftApplicationsTelemetryDeviceId
tasks.teams.microsoft.com MicrosoftApplicationsTelemetryFirstLaunchTime
teams.microsoft.com TSREGIONCOOKIE
teams.microsoft.com storedTheme
teams.microsoft.com deviceId
teams.microsoft.com firstTimeLaunch
teams.microsoft.com MUIDB
teams.microsoft.com clocale
teams.microsoft.com ringFinder
teams.microsoft.com minimumVersionClientUpdateTries
ukc-excel.officeapps.live.com DcLcid
ukc-excel.officeapps.live.com ExcelIsPreviousSessionSimplifiedRibbonOn
ukc-excel.officeapps.live.com PageLoadSkeletonState
ukc-word-edit.officeapps.live.com DcLcid
ukc-word-edit.officeapps.live.com MicrosoftApplicationsTelemetryDeviceId
ukc-word-edit.officeapps.live.com MicrosoftApplicationsTelemetryFirstLaunchTime

 

Secure and common standards stipulate that all sensitive files, especially credentials, are encrypted to reduce the threat and likelihood of session hijacking via plaintext viewing.

Technically, using Teams with Edge or any Chromium-based browsers is a stronger choice as they encrypt cookie storage by default. However, Teams cannot encrypt its cookie database file as it needs to follow users around different devices.

Exploitation

Exploitation is simple and does not require the use of any special tools, such as Mimikatz  to extract cached credentials from memory. Copy and paste will do, which has the advantage of not alerting anti-virus software.

The following steps summarise the chain of exploitation:

  • Extract the contents of C:\Users\UserNameHere\AppData\Roaming\Microsoft\Teams.
    • You can optimise this by only copying the necessary files:
      • IndexDB
      • Local Storage
      • Session Storage
      • Cookies
      • Cookies-journal
      • desktop-config.json
      • json
      • Preferences
      • QuotaManager
      • QuotaManager-journal
      • json
      • json
      • json
      • TransportSecurity
    • This optimisation reduces the size from ~2 GB to 43.5 MB in my case
  • Spin up a virtual machine with Teams installed.
  • Replace your \Microsoft\Teams folder with the victim’s.
  • Open Teams.

Congratulations! You now have access to their Teams account for you to search for juicy content or you could leverage this to socially engineer staff into doing your dirty work. Why should I waste computing power attempting to capture and/or crack hashed passwords when I can review internal communications to find credentials, or I could just ask the right people as you.

The remarkable thing about session tokens is that you have already authenticated and satisfied any requirements such as multi-factor authentication, coming from a trusted geolocation or IP address; conditional access policies will not save you. Anti-virus software will not save you.

Figure 3 – authenticated Teams session whilst PowerPoint is unauthenticated.

Snooping. Cached conversations

Teams also caches conversations, both direct messages and channel communications using Google’s LevelDB database structure, which stores .ldb files that can either be parsed or read as is. An attacker with access to multiple users Teams folder could leverage their access to mass parse these files to identify sensitive data such as internal communications and passwords.

Alex Bilz has researched Microsoft Teams from a forensics perspective and has developed tooling to parse these files; you can read more about his thesis work here https://www.alexbilz.com/post/2021-09-09-forensic-artifacts-microsoft-teams/.

Figure 4 – Goodbye Tom!

Conclusion

Unfortunately you cannot mitigate this threat and I don’t believe it will be fixed by Microsoft… The only thing you can do is implement monitoring and alerting for the following file paths:

  • Windows: %AppData%\Microsoft\Teams\
  • MacOS: /Library/Application Support/Microsoft/Teams/
  • Linux: /.config/Microsoft/Microsoft Teams/

It should be noted that access logs within Azure AD do not provide any information as stolen tokens are not subjected to authentication.