Microsoft Teams macOS Installer Local Privilege Escalation

Local Privilege Escalation via teams_osx.pkg

In the latest installation package for Teams for macOS provided by Microsoft (Teams_osx.pkg), the "postinstall" script included in the installer allows for privilege escalation from a normal user to root due to improper permissions on files used throughout the installation process.

During the installation process for Teams, the application contents are moved to "/Applications" as normal. The "postinstall" script creates a LaunchDaemon that points to the TeamsUpdaterDaemon application ("/Applications/Microsoft Teams.app/Contents/TeamsUpdaterDaemon.xpc/Contents/MacOS/TeamsUpdaterDaemon"), which will run with root permissions. The issue here is that if a local attacker is able to create the "/Applications/Microsoft Teams" directory tree prior to installation, they can overwrite the TeamsUpdaterDaemon application with their own custom payload, which will be run as a LaunchDaemon, and thus give the attacker root permissions.

For example:

# Prep Steps Before Installing
/tmp ❯❯❯ mkdir -p "/Applications/Microsoft Teams.app/Contents/TeamsUpdaterDaemon.xpc/Contents/MacOS/"

# Just before install, just have this running. inelegant, but it works.

# Payload can be whatever. It won't spawn a GUI, though, so a custom dropper or other application would be necessary
/tmp ❯❯❯ while true; do
ln -f -F -s /tmp/payload "/Applications/Microsoft Teams.app/Contents/TeamsUpdaterDaemon.xpc/Contents/MacOS/TeamsUpdaterDaemon"
done

# Run installer. Wait.

The above simply creates a symlink to an arbitrary payload at the file path used in the postinstall script to create the LaunchDaemon. In order to fix this issue, we recommend verifying the integrity of the TeamsUpdaterDaemon prior to creating the LaunchDaemon entry, or using the preinstall script to verify permissions on the "/Applications/Microsoft Teams".