TeamViewer issues emergency fix for desktop access vulnerability

Contributor II

TeamViewer has issued an emergency patch to fix a bug which could allow attackers to gain control of other PCs when in desktop sessions.

The vulnerability first came to light on on Monday, when Reddit user xpl0yt told other Redditors to "be careful" after discovering the security flaw. The user linked to a proof-of-concept (PoC) example of an injectable C++ DLL which takes advantage of the bug to change TeamViewer permissions.

The GitHub PoC, uploaded by a user called gellin, describes how the PoC code, tested on TeamViewer x86 Version 13.0.5058, can be utilized to enable the "switch sides" feature that can give a user power over another system involved in a session, which should only be made possible when a user grants that permission manually.

By using naked inline hooking and direct memory modification, in addition, the PoC allows users to harness control of the mouse without paying any attention to control settings and permissions.

TeamViewer acknowledge the bug and pushed out a hotfix to resolve the problem on Tuesday.

Patches for macOS and Linux systems are expected to drop this week, as reported by ThreatPost. Fixes will be delivered automatically.

Speaking to the publication, gellin said both users must be authenticated before the bug can be exploited, and the PoC would need to be deployed using a code mapper or DLL injector.

"Once the code is injected into the process it's programmed to modify the memory values within your own process that enables GUI elements that give you the options to switch control of the session," gellin told the publication. "Once you've made the request to switch controls there are no additional check on the server-side before it grants you access."