Remote support software company TeamViewer released a patch to address a vulnerability that allows users sharing a desktop session to gain control of the other’s computer without permission.
TeamViewer confirmed the existence of the vulnerability after its public disclosure and promptly issued a patch for Windows users on Tuesday.
The flaw was first reported by the Reddit user “xpl0yt” early this week, he also linked to a proof-of-concept injectable C++ dll that uses naked inline hooking and direct memory modification to change TeamViewer permissions.
This allows a user to “enable the ‘switch sides’ feature which is normally only active after the user has already authenticated control with the client, and initiated a change of control/sides.”
The PoC was published onGitHub by a user named “gellin,” This flaw could be exploited to gain control of the presenter’s session or the viewer’s session without permission.
“As the Server – Enables extra menu item options on the right side pop-up menu. Most useful so far to enable the “switch sides” feature which is normally only active after you have already authenticated control with the client, and initiated a change of control/sides.” reads the description privided by Gellin on GitHub.
“As the Client – Allows for control of mouse with disregard to servers current control settings and permissions.”
The attacker would have to inject the PoC code into their own process with a tool such as a DLL injector.
“Once the code is injected into the process it’s programmed to modify the memory values within your own process that enables GUI elements that give you the options to switch control of the session,” Gellin told Threat Post. “Once you’ve made the request to switch controls there are no additional check on the server-side before it grants you access.”
Gellin explained that such kind of attack is easy to detect and stop by ending the session, however, gellin highlighted that before the patch was deployed, that attacker could exploit the flaw to disable a host’s visual input and force the targeted computer’s screen go black, hiding any malicious operation on the target.
The flaw affects Windows, macOS and Linux versions of the popular software. According to Axel Schmidt, senior PR manager for TeamViewer, the company will release a patch for macOS and Linux versions within Wednesday.
Users that have configured TeamViewer to accept automatic updates will get the patch automatically, however, patches could take up to three to seven days before the update is installed. Users that do not have automatic updates set will receive a notification about the availability of the update.
Such kind of flaw could be rapidly exploited by threat actors in the wild, especially by attackers carrying out malicious tech support scams.
(Security Affairs – TeamViewer, hacking)