Remote Support/Access company TeamViewer quickly releases a hotfix to address a recently learned bug that grants access without permission
For anyone who has initiated or been on the receiving end of a remote support call, ensuring that you are protected and only allowing access to an authorized party is paramount.
Recently one software company, TeamViewer, stated that it released a hotfix to address a bug that was allowing users who were sharing a desktop session to gain control of the other users machine without being prompted or receiving permission.
This bug was first reported on Reddit by a user “xpl0yt” on Monday, December 4th who also linked to an actual proof-of-concept. This vulnerability was posted on GitHub by a user named “gellin” as a viable method of gaining remote access. TeamViewer followed up and confirmed that the vulnerability was real and issues a patch update for Windows users the next day.
While this issue does affect Windows, macOS and Linux versions of the software, TeamViewer states that the patches for macOS and Linux will be released late Tuesday or Wednesday.
We at Your Digital Mind always love proof-of-concept vulnerabilities since it really breaks down how it works, what went wrong and sometimes how to remedy the issue. In this proof-of-concept the attack is allowed to gain control of a presenters session or the viewers session without being granted permission.
Tj Nelson, a security researcher at Arbor Networks and the ASERT Research team stated “Exploited as a presenter you are able to turn on a ‘switch sides’ feature (that usually needs the client to agree to) and change controls and sides, controlling a viewer’s computer. If exploited as a viewer, you are able to control the mouse of the presenter’s computer no matter what settings or permissions the presenter may have had set.”
The GitHub user Gellin described the vulnerability in his post stating that the root of the issue is a vulnerability formed from injecting a C++ dll that uses naked inline hooking and direct memory modification to change TeamViewer permissions. This allows an attacker to “enable the ‘switch sides’ feature which is normally only active after you have already authenticated control with the client, and initiated a change of control/sides.”
“(This) allows for control of a mouse with disregard to a server’s current control settings and permissions,” gellin continued.
In an interview with Threatpost, gellin said “Once the code is injected into the process it’s programmed to modify the memory values within your own process that enables GUI elements that give you the options to switch control of the session. Once you’ve made the request to switch controls there are no additional check on the server-side before it grants you access.”
You may ask yourself how do you fend against this type of an attack? Gellin stated that if an attacker does infact gain unauthorized control of a targeted machine that the victim will easily be able to detect the attack and can stop the process by ending the session. The potential for higher level attacks was great prior to the hotfix – it could have been possible for an attacker to disable a host’s visual input and force the screen to go black, effectively weaponizing and hiding any malicious activity.
The good news is that patches will be distributed automatically to TeamViewer users who are configured for automatic updates. The drawback is that these patches could take multiple days – even up to a week – before the update is installed. If you do not have automatic updates enabled you will be notified an update is available when opening the application.
“Obviously, users can request an update through the client,” Schmidt said.
Nelson has advised users patch for the bug sooner than later. “Typically, these type bugs are leveraged quickly and broadly until they are patched,” he said. “This bug will be of particular interest to attackers carrying out malicious tech support scams. Attacker will no longer need to trick the victim into giving control of the system or running malicious software, instead they will be able to use this bug to gain access themselves.”