While studying AppLocker in recent months, I’ve had the opportunity to delve into the world of Living -off-the-land Binaries (LOLbins), particularly those which are of particular use as Application Whitelisting Bypass tools.
Windows LOLbins are catalogued in several places, not least of which is the LOLBAS project (https://github.com/LOLBAS-Project/LOLBAS). This project provides a comprehensive definition of what kind of binaries make the cut. In particular, they must be Microsoft-signed and contain “unexpected” functionality that may be of use to a Red Team.
Having looked into the security of Electron apps a while back and kept tabs on it since then, it did not surprise me that the Squirrel Updater (Update.exe) was included in that list. However, what did surprise me was that no Electron applications are included — in particular, Microsoft Teams.
What I describe here is, of course, applicable to Electron applications. However, as certain LOLbin criteria narrow the definition to only Microsoft-signed executables, I will pay particular attention to Teams.
An application written using the Electron framework is essentially written in JavaScript. Electron provides an embedded Node.js framework which is used to execute the application code, and an embedded Chromium browser for the UI.
If we look at a typical installation of Teams, we will find that it is installed in:
%LOCALAPPDATA%\Microsoft\Teams\current
Inside this directory, we find the executable Teams.exe. This executable has an icon featuring the Teams logo, its Product Information identifies it as Teams with a specific version and its signature declares its publisher to by Microsoft. However, the content of the executable is the same as all other Electron apps — it just the Electron framework repackaged to look like the application.
Looking deeper, we find a “resources” directory, which contains a file named “app.asar”. ASAR is a simple archive format designed for Electron — similar to a tar file. This archive is where the real application code lies — JavaScript, HTML and so forth. Critically, this file is not signed (indeed, there is currently no standard signature scheme for this format).
AWL Bypass #1: Replace app.asar
The first technique involves overwriting the app.asar file with one that contains the code that we wish to execute. Assuming that Node / NPM is not available on the target device, the initial steps would need tonote be performed on a separate machine.
1. Prepare a script file
For the purposes of this demonstration, we will name the script file “main.js”, and populate it with a one-liner which will launch the calculator:
require('child_process').spawn('calc.exe');
2. Prepare a package.json file
The package.json file should have the following content:
{ "main" : "main.js" }
3. Package the two files in an ASAR file
If Node.js is installed on the machine, and the two files are located in a directory “app-dir”, then this may be done using the npx tool:
npx asar p app-dir app.asar
4. Copy app.asar to the target device and run Teams.exe
Naturally, this is a destructive operation and will prevent Teams from working correctly. Thus, in order to be more stealthy, it is recommended to initially back up the original app.asar and restore it after the operation is complete.
As a nice bonus, I have found that this can generally be done even if the Teams application is already running.
AWL Bypass #2: Inject app directory
The method described above suffers from the disadvantage that an ASAR file must be generated. Although this can easily be performed using the ASAR Node package, this requires the presence of NPM on the machine. If the ASAR file can be prepared on a different machine, then that is fine, however this may not be practical if we are attempting to “live off the land”.
Fortunately for us, Electron does not search for the application code only in an app.asar file. There are three locations that are searched by Electron, in this order:
- The “app” directory
- The “app.asar” file
- The “default_app.asar” file
1. Prepare a script file
For the purposes of this demonstration, we will name the script file “main.js”, and populate it with a one-liner which will launch the calculator:
require('child_process').spawn('calc.exe');
2. Prepare a package.json file
The package.json file should have the following content:
{ "main" : "main.js" }
3. Copy the script and package.json file into the app folder
To be precise, in the case of Teams, we are creating and copying to the following folder:
%LOCALAPPDATA%\Microsoft\Teams\current\resources\app
Because Electron searches for the application within app folder before the app.asar file, the mere presence of this folder is enough to override the app.asar file. Thus, this bypass may be executed without modifying or deleting the app.asar file itself.
Further Thoughts
The technique described here is similar to that described in the 2019 article Basic Electron Framework Exploitation. However, the techniques described there involve modifying the electron.asar file, which has since been embedded as a resource within the main executable, and therefore will no longer work.
A recent change in Electron has swapped the search order such that it searches for the app.asar file prior to the app directory, or, in some cases, only searches for app.asar. This would limit the 2nd technique shown above, but not the first. At the time of writing this post, Microsoft Teams has not updated to the necessary version of Electron.
The above changes appear to be part of a new feature that incorporates integrity checking in general. However, this feature is designed specifically for macOS only, because it relies on features built into the macOS operating system to guarantee the integrity of the ASAR file.
Unfortunately, in choosing to develop Teams using the Electron Framework, Microsoft have inherited the weaknesses present in that framework that allow for the execution of arbitrary unsigned code.
Yes – the techniques above require some modification to be made to the folders containing the application files themselves. Unfortunately, Microsoft also makes this easy by not even allowing administrators the option to install in Program Files (with one curious exception of Teams for VDI environments). Sadly, numerous requests to fix this have fallen on deaf ears.
What about Antivirus? Wouldn’t that hopefully catch the malicious code that can be run through this application whitelisting bypass? Well, not always – Microsoft themselves recommend the exclusion of Teams.exe in antivirus configurations.
Microsoft Teams may be undergoing considerable change — the new “home” edition for Windows 11 appears to be packaged as a Store app, and hopefully the business edition will follow suit. But until then, it will continue to provide attackers with a convenient means to live off the land.
L<<K 