When using TeamViewer, make sure you are running the latest version of the famous Windows remote desktop connection program to prevent vulnerability exploits.
TeamViewer’s team has recently launched a new update of its program that implements a serious vulnerability fix (CVE 2020-13699). The addressed vulnerability can enable remote attackers to steal the system password and compromise the computer.
More worryingly, the attack through this vulnerability can be carried out almost immediately without a lot of input from the victims, just merely by persuading them to visit a malicious web page.
TeamViewer is a world-known remote-support app, which allows users to safely share their desktop or access the desktop of another computer through the Internet from anywhere.The remote-access program has a desktop and a mobile version and is available for Windows, MacOS, Linux, Chrome OS, Android, iOS, Windows RT, Windows Phone 8, and BlackBerry operating systems.
The high-risk flaw in TeamViewer was discovered by Jeffrey Hofmann, a researcher of Praetorian, and is residing in how the program quotes its custom URI handlers, which could let a hacker to force the app to rely on an NTLM authentication request from the hacker’s system.
Simply put, an intruder may exploit TeamViewer’s URI from a web page to trick the software installed on the victim’s system into making a connection to the attacker’s remote SMB share.
This, on the other side, opens room for an SMB authentication attack, leaks the username of your system and an NTLMv2 hashed version of the password to enable the intruder to authenticate the victims’ computer or network resources with the stolen credentials.
The intruder requires a fake iframe embedded into a website to effectively leverage this weakness and then trick the victim into accessing the maliciously designed URL. If the victim clicks the link, TeamViewer will immediately launch its Windows desktop application and will open a remote SMB share.
The Windows App of the victim will then perform NTLM authentication as it opens the SMB share and that request may be used to execute a code, the researcher Jeffrey Hofmann explains.
This flaw, classified as a “Unquoted URI Handler”, has been documented to affect the URI Handlers of teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1, tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1, and tvvpn1. The TeamViewer project has fixed the vulnerability by quoting the parameters passed by the affected URI handlers.
While the reported flaw has not been used in the wild so far, it certainly has been of interest for hackers since TeamViewer is a program used by millions of users all around the world.
To prevent possible exploits, users are advised to update their TeamViewer software to the latest version – 15.8.3 – as soon as possible as it is just a matter of time until hackers begin to manipulate the detected vulnerability to access user devices.