The team behind TeamViewer, a popular software application for remote support, remote access, and online meetings, has released an update to address a high risk vulnerability, which could allow attackers to steal system password and eventually compromise the system.
The vulnerability, tracked as CVE-2020-13699, exists due to the way TeamViewer quotes its custom URI handlers, which could allow an attacker to force the software to relay an NTLM authentication request to the attacker's system. Simply put, an attacker can use the issue in the TeamViewer's URI scheme to trick the application installed on the victim's system into initiating a connection to the attacker-controlld remote SMB share. To do this the attacker needs to create a malicious web-page and trick the user into visiting it.
“An attacker could embed a malicious iframe in a website with a crafted URL that would launch the TeamViewer Windows desktop client and force it to open a remote SMB share. Windows will perform NTLM authentication when opening the SMB share and that request can be relayed (using a tool like responder) for code execution (or captured for hash cracking),” according to Jeffrey Hofmann, a security engineer at Praetorian, who found the flaw.
The issue affects the URI handlers teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1, tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1, and tvvpn1.
The TeamViewer versions 8 through 15 (up to 15.8.2) for the Windows platform are impacted. The flaw was fixed by quoting the parameters passed by the affected URI handlers.