 The title is From Theater to Weapon, Breaking Microsoft Teams and Shapel of Integrity. Hello, I'm Nester. I'm from Finland. This is our national team Huckyshed. We are good at that, and that's pretty much it. I work for CQ Works as a Senior Principal Security Researcher. I've been doing that job for three and a half years now. I'm on, well, social media, so Dr. Azure AD is the handle. So please follow me. You want to. I might have like 15,000 followers if you do that, or even more. Okay, I'm also Microsoft MVP. Who knows what is MVP? Yeah, so I'm MVP on security category, obviously. That's why I'm here. And I'm also Microsoft's most valuable researcher, so I was able to seek you that place like a third time in a row. And it's a nice, nice, nice bunch of people to be a member of. Okay, so I think quite a lot of you know best me from my tool A8 internals. Who has used that? Okay, are you working for APT 29? Because they haven't done that too. And yeah, so basically it's just an admin hacking toolkit for Azure AD. So that's the name A8 internals, which is funny because they changed the name. So it's now enter ID. So it's fucking great for a guy who's handle is Dr. Azure AD and toolkit is A8 internals. Okay, yeah, so today I'm going to demonstrate this tool to show some of the things I found. But let's start. So when my friend heard that I'm going to speak in Defcon, he said that you need to have memes. I was like, what is meme? And then he explained me, okay, so let's try. So this is me speaking in, what was it? It was cloud and this time it is like last year in Germany. I was pointing some nice, really nice setting. And this picture is taken by another MVP. And then yet another MVP friend of mine. So that is Olaf, by the way, here. No? So he said that that's nice, nice like a tip and also very good for meme. And then the guy said that we need to actually do the meme about this. And now I have my own meme. So now I can point things. Okay, let's see, do I point anything today? Okay, so contents of the talk. So who knows what is SharePoint? Okay, that's nice, very untypical. Yes, so for sure this thing that you put documents. You can do other things about that, but usually it's used for storing documents. And it's one of the services in micro 365, so it's just SharePoint online. But how many knew that also Teams is using SharePoint? Okay, that's also very untypical. Because yes, Teams, when you put a document in Teams, it actually goes to SharePoint. So it's kind of a background service to store documents. And also OneDrive is based on SharePoint technically. So everything like SharePoint, then OneDrive and then Teams, they are using the same technology on the background. So what I'm going to talk about today is that, well, you know the CIA, so triad. So we have the confidentiality, we have availability, and then the integrity. And I'm going to show you how you can break the integrity part of that triad in SharePoint. It's nice, and I can see a couple of guys from Microsoft. So they are like doing this, all the types of high. But you know this already. So nothing new here. Okay, and yes, so I'm presenting a stuff I found about six or seven months ago. So I was doing a research project where I was trying to check all the different migration options you have to Microsoft 365, like SharePoint, like files, and then also like emails and stuff. But I didn't find anything interesting anywhere else, but from Microsoft, sorry, from SharePoint. So that's what we're going to cover today. And let's start. So SharePoint online migration options. So because I was studying migration, there's nice to have some options. And we have three currently, what I know of. And first is like migration manager. And that's like a portal where you can well manage migrations. And what you are managing is actually an agent that is installed somewhere. It's on server or whatever. It depends what you are trying to migrate. And technically that is using the same code base as the second option called SharePoint migration tool. So those two are using the same agent to do the migration. And that's SPMT for short. And the third one is cross-tenant one-time migration, which I don't know anything about. So basically you should say that I want to migrate this to the other tenant, hit the enter and magic happens. But today we are talking about the middle one, which is that SharePoint migration tool. And what is it? What is it? So it's a free easy to use option to help you migrate stuff to cloud. And it supports migrations into three things. So SharePoint online and OneDrive and Teams. And where you can migrate from, well of course different kind of SharePoint servers, but usually people are migrating network shares. But of course if you have some team side you might want to, in On-Brem you might want to migrate that also to like Teams or SharePoint online. Okay. Now what's the process then? So first you need to install the tool, then you create a migration task and then you can monitor how it goes and then finally you will see the report that what was migrated and whatnot. So let's see how that works. So has anybody used this ever? SPMT? Yeah, okay, some of you. So this is no news to you. So how this works? So sorry the print might be a bit small, but I'll just walk it through. So basically you start the tool and you choose from where you want to copy stuff. And we choose file set and you provide the share. And do you want to migrate everything or just that one? So it can also do the sub folders and content. And then where you want to copy stuff? In this case Teams. Now we select which team and you can also select which channel where you want to put things. And then you review, choose some absence and finally you just wait. Usually a lot of time. Yeah. So this is how the tool looks like. And when the tool is working it creates some temp files to app data roaming Microsoft migration tool storage. And what do we have here? We have the domain name of the target migration user. We have a work folder. There are some files. We have migration task and then some database index files. And finally the interesting stuff is here. So the stuff that is actually going to be sent to cloud is right there. And if we open that folder, that's on the left side. And then on the right side is the actual share folder. We can see, well, I can see, you can see it's a small print. But the file sizes are exactly the same. But the file names are different. So on the right side we can see, well, there's some application file. And the left side, it's just an GUID.DAT. And those files are encrypted. And when they are sent to cloud you also send, well, actually, before you are technically, how this tool works is that it adds from SharePoint that give me an encryption key. And then it will encrypt stuff. And then when they are sent back to cloud, cloud can then decrypt those with that key. But anyways, they are encrypted. And that was the data, the actual files. But then there's also metadata. And the most important file is manifest. Can you see it? It's right there. And what is inside the manifest? So basically you have two things that you send to cloud. So the files and then the manifest, or metadata. And the manifest is the most important one. And what is inside that? Well, it's an XML. Who loves XML? Yeah, nobody. But okay, so we have the SP file object here. And then we have the reference to the file. And then we have the reference to that content file. So that DAT file. Then we have initialization vector for decrypting the file content, right? And what else we have? Well, we have a matching SP list item. So those who know how SharePoint works, they usually also list items. But for the rest of you, it doesn't matter. We are not interested on that one. But what else we can see here? We can see timestamps. So that's metadata, which is sent to cloud. And it contains timestamps. But it also contains author. Okay, so at this point what I did was that I implemented this same protocol to my tool, A18 internals. And because I'm sending those files, those files which I selected, but also this metadata, which I have full control of. It means that I have full control of metadata. And I was like, excellent. So what this means that I can create documents as any person to that target site, whether it's Teams or OneDrive or SharePoint. And I can also replace files. And just make up the user who did that and the timestamp. So I have full control over that. There's just one catch. You need to be an admin. And actually you need to be site collection admin. Now, we turned out that, well, who of you have ever created a Teams or Team or whatever that's called. Okay? So you are that admin. So the person who creates Teams have those permissions required to do this. And it's quite nice, for instance. So let's imagine that my boss would tell me that, hey Nester, why don't you create a Team site where our company traveling policy? And it's okay. Then I will create that and create their document as our CEO who said that I can always travel in first class. That would be nice, right? Okay. So I have a demo for you. So let's see how this works. So this is actually quite easy. So we just create a new Team. I always say Teams or Team. And let's create it from scratch. And we select private one. So we don't invite anyone here. And then I'm gonna give it a name. And then I create the Team. And we don't wanna, for demo, we don't wanna invite anyone. Okay. So now if we go to files and select the root folder here. Because at that time when I recorded this video, that was the only option. So we can see that this folder general was created by Diego Siciliani. Well, maybe you can't see, but trust me, it's Diego Siciliani, who was the guy who created this. And now I open it in SharePoint, so that I can copy the URL also on a site. And now I put this information in my tool. And I am gonna create the file as another user called NestorW or NestorWilky. And the date should be 10 years past, in the past. And when you download this, it doesn't take that long. But when you start the job, it can take anything from 10 seconds to 10 minutes. So I have clicked a bit of this video. So now when I go back, back here, I refresh this. And then go back to documents. There should be another file, created by a totally different person and with a different time. So this means that I can spoof documents. And I can also tamper with existing documents. And this kind of totally breaks the integration of the... Well, every service is based on SharePoint. Now, the most funniest part is this. So if you are creating a file using SharePoint online, it will be stored in the backend database, which will at least a couple of... Well, 20 years ago it used to be Microsoft SQL Server. And also there will be entry and unified audit log. But if you use this technique, you send it only to the backend database. So there's no logging whatsoever. But it's also quite interesting. So let's... I'll say it again. So you can spoof and tamper with and there's no logs. Sounds nice, right? So I reported this to Microsoft in November last year. And I told exactly this. So that I found a way that such a normal guy who creates a team can do this. And I kind of reported that it would be nice that the name of that guy who actually uploaded that file would be there somewhere. But somehow they... It seemed to me that they understood that I was criticizing that migration API. But no, it's working as intended. So that was not my purpose. But it's working... Normal feature works as it should be, but you can do bad things about that. And they said that customers want to preserve metadata. Yes, I understand that, but there's no logging whatsoever. So you can't know who did that actually. And the last thing is that only shape on site collection admin can do this. And they should... That they probably know what they are doing. And that's what I am afraid of. That they actually now know that. But this is like by design. Which in micro terminology means that they are not going to fix that. So now you can do that also. I am publishing my toolkit, the newest version, when I have a decent internet connection, which I don't have here. So maybe on Monday when I'm back in Finland. So that was that. So now you can do that also quite easily. So you can try this at home. And let's see what people who are doing auditing, they might not like that. We can create files without no traces whatsoever. So it's going to be interesting, let's say in this way. Okay, but that's not all. Let's go to next generation. So I continue studying this. So what can I do with this? So is it just uploading files and replacing ones? Well it is, but pay with me. So Google, who loves Google? I do. Who use Bing? Okay. Because one of my friends, Sami Lai, here used to say that you use Bing for searching stuff and Google for finding stuff. So actually I was able to find a documentation about this, so I just googled the tag names of that manifest file. And I found that there's a documentation. And I saw that it applies to SharePoint online, but also like on-prem SharePoint 2016, 2019, 2013, whatever they are. And not many of you might know that, but I heard Dark passed as a SharePoint admin. So this is actually dates from 2009. So it's like 15 years ago. So I passed to certification. So I'm certified on-prem SharePoint admin. For server version 2007, but the first one I ever worked with was from 2003, so that's like 20 years ago. Some of you weren't even born at that time. So I'm that old. Okay, so what did I do? I installed, of course, SharePoint server, on-prem. Have any of you done that before? It takes a while. But yeah, I managed to do that. So luckily Microsoft has not put any money on updating SharePoint like on-prem. So it still looks like the same, like almost 20 years ago. And I also knew that that documentation I found, it was described in the XML of granular backup. And which means that if you have the on-prem site, you can export a site or list. And that's what I did here. So I chose export site. And in the upper right hand corner there's the site collection, which I wanted to export. And then you need to enter a name of that backup file. So the original file extension, what it's proposing, is CMP, I don't know what that means. But technically it is CAB or cabinet file. It's an asian technology from 1990s. So it's in kind of archive. So you just rename that to CAB and then you can open that with Windows Explorer. And here it is, nice. So we have TeamSite.CAB. And when I open that up, we can see stuff. And we can see DAT files. So that stuff to be restored from this backup. And we can also see that there's metadata. And when I now open the manifest.xml, I saw that, well, it looks pretty much same. So we have the SP file here. But I also noticed that there's a file called editform.aspx. Now, aspx is 20 years old technology also. It's called ActiveServe pages extended or something like that. Has anybody used that? Some of you, yeah. So yeah, so I was like, okay, you can actually restore these design elements. And I was like, okay. Me likey. And conclusions and hypothesis about this finding was that SPNT is actually using this granular backup technically. And it also allows you to import any site content, including those ASPX files. So that was my hypothesis. And therefore we can replace design files using this API. And yeah, and we could actually do that. However, in SharePoint online, there's a thing called custom script. So as an admin, you can edit those pages also, if you have permission to do that. Or you can insert what is called script editor web part on a page and then you can add script there. However, as it says that those are very bad things because that script can access everything the user who is visiting that site can do. Even beyond SharePoint or Microsoft Graph integration. And for that reason, it is blocked by default. So you can't add any scripts there. So tenant level, which means the whole environment, it's prevented and also by each site collection, it's also prevented. And to turn those on, you need to be global admin, which is next to the guard in Microsoft Cloud. Okay, so anyway, so if I still would be able to enter script there, could I do cross-site scripting maybe? So modern browsers really don't allow doing this. So basically it means that like here, so if you are getting a script, like JavaScript file from this address like SharePoint.com, you can only call APIs in the same domain. So you can make calls outside that like to Outlook.com. Even though that the user would have been locked in, in another browser session, but no. Well, actually technically you can, but if you do that, there's no session information or no cookies or anything, so they would be like anonymous calls. But I knew that SharePoint, when you're accessing SharePoint, it can access your email, for instance, and calendar and that kind of stuff. And I was like, how that works then? Because there's that same origin header which prevents JavaScript accessing other like domains. So it turned out that this internal API in each SharePoint site called sp.oauth.token slash acquire, where you can get access tokens. But as you can see, it said that you should not communicate it directly with your solution. But what if I do? Well, it turned out that you can just ask access token to any resource, which it is supporting. Like here, can I have a token for graph.microsoft.com? Yes, you can. Here it is. So that actually allowed me to do, well, whatever I wanted to, whatever graph API allows users to do. And if that user who will get this site would be like global admin, you own the domain. Okay. Well, you own the Azure AD, not the domain, but yes. Okay. But I found out that if you have prevented using the custom script, you can do that using SharePoint Online, no SharePoint Designer, which is a designer from 10 years ago, but it still works. But with this, you can bypass that. So you can't prevent that. And that's also funny. Okay. So a little story before the demo. So when I was recording demos for this talk, I noticed that it didn't work anymore. So I had to use, well, I thought that it didn't work actually. It did work, but I thought that it didn't. It didn't. So I actually had to use a video, which I actually originally sent to MSRC. So it's very fine print, and there's even me talking, but I covered myself with the pilot flag. So you don't see me, but I'm going to walk you through what happens here. So in this demo, I modify the ASBX file of documents folder, and I insert code there, and what the code does is, well, you'll see. So let's start. I hope this demo works now. Yes. So on the upper right-hand side, we have the attacker, who has created a team site, and his name is Diego Cisigliani. And then we have the victim below that, and he's a Nestor Bilk. Or Bilk, I don't know how do you pronounce that, even though I've done that for years, but I still don't know how to pronounce that name. But you can pronounce mine, so it's a third deal. Okay. So this is just to show that we are at the same team currently. And now what we need to do is that we first need to have the site collection name, so I'm going to open this in SharePoint. And now what we're going to do is that we're going to replace that all items.aspx file. For that, I need that site name. And that site name is actually quite boring. It's a very long URL. And then I'm going to start my tool here. And first I need to get an access token to use that. So I'm going to type there, get an access token for that service. Sorry, this is going to take a little time, but there's a lot of typos and stuff, but yes. So it pops up a window. We just need to type my credentials, the attacker's credentials. And again, this is just a standard user who created the team, so no admin rights here. And then we're going to provide the password. And just for demonstration purpose, there's no MFA, but you should always enable that. And now we have the access token. And then first thing what we need to do is to download that file, that ASBX file. And that's also neat that you can actually download these elements from SharePoint online. I don't know what's the purpose of that, but you can do that. So there's a comment for that. We provide the site name. And then, well, you can see this under that, or behind that download all items stuff, but then you're going to provide the password of that file. So site name and then the file name inside that site collection. And that should do it. And now it says that file is saved to all items to ASBX. And then you can open that file in your favorite editor. And mine is notepad++. So that's the file, and I just drop it in Notepad. And here you can see, well, it's a fine print, but it's just an ASBX file. So it's pretty much a template file referring other template files and so on. But I can paste code here. So my attacker code right here. I'm going to paste that. Save that, and then I'm going to send it back. And it's actually interesting that when you download that file, there will be a log entry. But when you update that, there's none. So pretty much the same thing, but a different direction. So I need to update AD in the SBO file. And again, when this starts, it can take anything from 10 seconds to 10 minutes. So that's also one thing I don't want to do this like as a live demo, because it might take hour or 10 minutes. So it's better this way. Okay, so now I'll just hit enter and you can see some stuff going on in there. So it sent the file, squared it the metadata file. And then it's going to start pulling that when the job is done. And it took like six or seven minutes in this case. And now it's there. And the next thing is that now we need to get the victim to visit that site. So let's do that. But let's move the attacker window to the left before that. And then I'm going to open the Outlook tab so that we can see if there's any email. And now we're going to choose another window and emulate that. Now we have somehow lured the victim to visit our site. And actually my POC, it kind of broke this because it says that you can read that. But actually you can. You just need to type in the correct URL like that. And now when the victim visits the documents, it runs the code. And what the code does, it gets first the access token to Graph API and then it loops through all the victim's one drive documents and shares them with the attacker. And now they should be dropping like mails in attacker mailbox that hey, this guy shared the file with you. So this way you can get access to pretty much any document that you want. So everybody who visits that page, you can run that code as that user. So quite neat, right? And yes, so that was the demo. So you could actually use the same technique so that you can run whatever code you want to. And you can also use like Graph API so not just this share point. So quite nice, right? So I reported this to Microsoft and just a recap, I reported that you can spoof documentation or documents you can tamper with them and they were in design. And now when I was reporting these accesses attack, they said that, okay, that spoofing. And I was like, what the hell is this? And but we had a discussion with them and at that time they were just categorizing everything like this spoofing. Now it's a bit different. Okay, okay, now back to the story. So when I was starting to record demos for this talk, I noticed that it didn't work anymore. And this is the error I got. So I was not able to get an access token anymore from that API, I told. That was part of the every, every like a SharePoint site collection and it says that you are missing refresh token. Well actually that wasn't the fix at all. So but anyway, I asked from Microsoft what is the status of this fix? So is it already fixed? Because I saw something that it could be. And they said, yeah, it's actually fixed. I was okay, fine. But when I was playing around, it turned out that I just had to visit some other SharePoint page before going there and then there was that refresh token. So this wasn't the fix. So two weeks ago, roughly two weeks ago, I asked from Microsoft that, hey, I have a DevCon talk and this attack still works. So can you tell me what did you fix so that I can tell you guys what is the real situation? And it turned out that they had fixed that but that didn't work. So last Sunday, I was already here, so yesterday, I had a meeting with MSRC or Microsoft Security Response Center and SharePoint Engineering and we walked through what happened and it turned out that yes, they had fixed that, that you can upload files. And they used that based on their own specification how that XML should be formed and they never used my tool to verify that because my tool only used minimum amount of any data to get it work. So it was missing one attribute, XML attribute, so that bypasses that. So now I'm very, let's say proud of Microsoft in this, so they were able to fix that in Tuesday and they enrolled or deployed that global in 24 hours. So now it's fixed actually. So now I'm able to release the tool to you so that you can play it around. But yes, that was the story. So I found a nice stuff that you can do. You can still do that spoofing and tampering with. You can't do these exercises, attacks anymore, but you never know now that you have the tools, maybe some other research to find another way to do something with that. But so with that, thank you. And now if there's any questions, I have plenty of time. Do we have any mics to call? Yeah, okay. Okay. So there are mics on the aisle. So if you have any questions, feel free to ask and otherwise I'll be hanging around. So.