TeamViewer issued a patch for users on Tuesday to fix a vulnerability that allows users sharing a desktop session to gain control of another PC without the latter’s permission. This vulnerability affected versions of TeamViewer running on Windows, macOS and Linux machines. For those unaware, TeamViewer is a popular remote-support software for desktop sharing, online meetings, web conferencing and file transfer between computers over the internet from anywhere in the world. To establish a connection between a local computer and a remote computer, the local computer requires the remote computer’s ID and password to gain control over the remote computer, whereas the remote computer requires the local computer’s ID and password to gain control over the local computer. The vulnerability was first publicized by a Reddit user “xpl0yt” on Monday who linked it to a Proof-of-Concept (POC) published on GitHub by a user named “gellin”. TeamViewer too went on to acknowledge the existence of the vulnerability after it was publicly disclosed. According to the PoC released by Gellin, it showed how one could modify TeamViewer permissions via a simple injectable C++ DLL, which controls “naked inline hooking and direct memory modification to change TeamViewer permissions.” The code can be used on both the client and server-side.
If Server is an attacker – Enables extra menu item options on the right side pop-up menu. Most useful so far to enable the “switch sides” feature which is normally only active after you have already authenticated control with the client, and initiated a change of control/sides. If the Client is an attacker – it will allow the client-side to take control of the mouse and keyboard of the server-side, ignoring any control settings or permissions on the server-side.
This vulnerability could be exploited to gain control of the presenter’s session or the viewer’s session without permission. To do so, the bug requires both users to first be authenticated and then the attacker needs to inject the PoC code into their own process with a tool such as a DLL injector or some type of code mapper. “Once the code is injected into the process it’s programmed to modify the memory values within your own process that enables GUI elements that give you the options to switch control of the session,” Gellin told Threat Post. “Once you’ve made the request to switch controls there is no additional check on the server-side before it grants you access.” Those users who have configured TeamViewer to accept automatic updates will get the patch delivered automatically; however, it could take up to three to seven days for the patches before the update is installed. For those who do not have automatic updates set will be notified when an update is available. Nelson, a security researcher with Arbor Networks and the ASERT Research team who reviewed the PoC advises users patch for the bug fast. “Typically, these type bugs are leveraged quickly and broadly until they are patched,” he said. “This bug will be of particular interest to attackers carrying out malicious tech support scams. The attacker will no longer need to trick the victim into giving control of the system or running malicious software, instead, they will be able to use this bug to gain access themselves,” he said.