Teamviewer has issued an emergency patch for a critical vulnerability that allowed users sharing a desktop session to gain complete control of the other’s system without any permission or alert.
TeamViewer is a software used to connect and view/control desktops remotely. Users can securely share their desktop or take full control of other’s system over the Internet from anywhere in the world if given the permission.
The vulnerability was first discovered on Monday by a Reddit user “xpl0yt” who linked a POC(Proof-of-Concept) code(an injectable C++ DLL) which leverages the bug to change TeamViewer permissions.
The POC was uploaded to GitHub by a user named “Gellin”. The POC leverages “naked inline hooking and direct memory modification to change TeamViewer permissions.”
The vulnerability can be exploited from both servers as well as client sides.
From server side – the vulnerability can be exploited to enable “switch sides” feature which an attacker can use to take control of victim’s PC during a desktop session. By default, the “switch sides” feature should only be made possible when a user grants that permission manually.
From client side – the users can take control of the mouse & keyboard without getting any authorization control settings permissions from the server.
The vulnerability affects TeamViewer on macOS, Linux, and Windows systems. TeamViewer confirmed the existence of the bug on Monday and issued a patch for Windows users on Tuesday.
Ankush Johar, Director at Infosec Ventures said, “Although the vulnerability requires both users to be first authenticated, once they are connected all an attacker need to do is successfully inject the code into the process using a DLL injector. After the code injection, the attacker can enable the “switch sides” mode and gain complete access to the victim’s systems without going through any additional checks. These kinds of attacks can be used by attackers imposing themselves as Tech support. Users are advised to immediately patch the vulnerability by updating Team Viewer to the latest release. Users can also configure their Team Viewer to receive automatic updates, in this case, patched will be delivered automatically. As a general security practice, remove TeamViewer Server from startup and run it only when required + only connect to/allow connection from people you know are trusted.”
