Remote support software company TeamViewer said Tuesday it issued a hotfix for a bug that allows users sharing a desktop session to gain control of the other’s computer without permission.
The bug was first publicized by a Reddit user “xpl0yt” on Monday who linked to a proof-of-concept example of a vulnerability created by the bug posted to GitHub by a user named “gellin”. TeamViewer confirmed the existence of the bug on Monday and issued a patch for Windows users on Tuesday.
The bug impacts Windows, macOS and Linux versions of TeamViewer. A patch for macOS and Linux versions of the software are expected late Tuesday or Wednesday, said Axel Schmidt, senior PR manager for TeamViewer.
This proof-of-concept vulnerability, allows an attacker to gain control of the presenter’s session or the viewer’s session without permission, said TJ Nelson, security researcher with Arbor Networks and the ASERT Research team that reviewed the PoC.
“Exploited as a presenter you are able to turn on a ‘switch sides’ feature (that usually needs the client to agree to) and change controls and sides, controlling a viewer’s computer. If exploited as a viewer, you are able to control the mouse of the presenter’s computer no matter what settings or permissions the presenter may have had set,” Nelson said.
Gellin, in a post describing the vulnerability, wrote the root of the vulnerability is an injectable C++ dll that uses naked inline hooking and direct memory modification to change TeamViewer permissions. This allows a user to “enable the ‘switch sides’ feature which is normally only active after you have already authenticated control with the client, and initiated a change of control/sides.”
“(This) allows for control of a mouse with disregard to a server’s current control settings and permissions,” gellin wrote.
In an interview with Threatpost, gellin said the bug requires both users to first be authenticated, and then an attacker would have to inject the PoC code into their own process with a tool such as a DLL injector or some type of code mapper.
“Once the code is injected into the process it’s programmed to modify the memory values within your own process that enables GUI elements that give you the options to switch control of the session,” gellin said. “Once you’ve made the request to switch controls there are no additional check on the server-side before it grants you access.”
Gellin points out the obvious. If an attacker does gain unauthorized control of a targeted computer the victim will easily be able to detect and stop the attacker by ending the session. However, gellin said before the patch was deployed, you could of easily weaponize the bug to disable a host’s visual input and force the targeted computer’s screen go black, hiding malicious activity.
Patches will be delivered automatically to those customers that have configured TeamViewer to accept automatic updates, Schmidt said. However, patches could take up to three to seven days before the update is installed. Users that do not have automatic updates set will be notified an update is available.
“Obviously, users can request an update through the client,” Schmidt said.
Nelson advises users patch for the bug fast. “Typically, these type bugs are leveraged quickly and broadly until they are patched,” he said. “This bug will be of particular interest to attackers carrying out malicious tech support scams. Attacker will no longer need to trick the victim into giving control of the system or running malicious software, instead they will be able to use this bug to gain access themselves,” he said.