TeamViewer


TeamViewer is a popular proprietary application for web conferencing and file transfer between computers, which is fully capable of remote control, and desktop sharing, among other collaborative capabilities.

While the TeamViewer team had recently issued a patch for a severe vulnerability marked as CVE 2020-13699, which if exploited, could allow remote attackers to compromise a system and steal password. And the attack can be executed even without requiring much interaction with the victims, simply by convincing them to visit a malicious website.

The flaw was discovered by Jeffrey Hofmann of Praetorian, and resides in the way TeamViewer quotes its custom URI handlers, which attackers could use to force the software to relay an NTLM authentication request to their controlled system.

How attackers could leverage TeamViewer's URI scheme



Attackers can leverage TeamViewer's URI scheme from a website to trick the app installed on a victim's system into initiating a connection to the attackers-owned remote SMB share.

However, the attackers need to embed a malicious iframe on the website and trick the victim into visiting the maliciously crafted website to successfully exploit the vulnerability, and once visited by the victim, the TeamViewer app will launch its Windows desktop client and open a remote SMB share automatically.

In turn, it triggers the SMB authentication attack, thereby leaking the system's username, and the password (NTLMv2 hashed version) to the attackers, allowing them to authenticate the victims' computer or network resources.

How to Mitigate against the TeamViewer Attack Risks



The TeamViewer project had promptly issued a patch for the vulnerability by quoting the parameters used by the affected URI handlers e.g., URL:teamviewer10 Protocol "C:\Program Files (x86)\TeamViewer\TeamViewer.exe" "%1"!

Therefore, it is recommended that users should update the application to the latest version of TeamViewer, which is version 15.8.3, though the vulnerability is currently not being exploited in the wild, but considering the popularity of the application among millions worldwide, it had always been a target for attackers.

TeamViewer Attack Risks: How Flaw Could allow attackers Steal Password Remotely

TeamViewer


TeamViewer is a popular proprietary application for web conferencing and file transfer between computers, which is fully capable of remote control, and desktop sharing, among other collaborative capabilities.

While the TeamViewer team had recently issued a patch for a severe vulnerability marked as CVE 2020-13699, which if exploited, could allow remote attackers to compromise a system and steal password. And the attack can be executed even without requiring much interaction with the victims, simply by convincing them to visit a malicious website.

The flaw was discovered by Jeffrey Hofmann of Praetorian, and resides in the way TeamViewer quotes its custom URI handlers, which attackers could use to force the software to relay an NTLM authentication request to their controlled system.

How attackers could leverage TeamViewer's URI scheme



Attackers can leverage TeamViewer's URI scheme from a website to trick the app installed on a victim's system into initiating a connection to the attackers-owned remote SMB share.

However, the attackers need to embed a malicious iframe on the website and trick the victim into visiting the maliciously crafted website to successfully exploit the vulnerability, and once visited by the victim, the TeamViewer app will launch its Windows desktop client and open a remote SMB share automatically.

In turn, it triggers the SMB authentication attack, thereby leaking the system's username, and the password (NTLMv2 hashed version) to the attackers, allowing them to authenticate the victims' computer or network resources.

How to Mitigate against the TeamViewer Attack Risks



The TeamViewer project had promptly issued a patch for the vulnerability by quoting the parameters used by the affected URI handlers e.g., URL:teamviewer10 Protocol "C:\Program Files (x86)\TeamViewer\TeamViewer.exe" "%1"!

Therefore, it is recommended that users should update the application to the latest version of TeamViewer, which is version 15.8.3, though the vulnerability is currently not being exploited in the wild, but considering the popularity of the application among millions worldwide, it had always been a target for attackers.

No comments