0x00 Preface

---

On December 5th, TeamViewer released a new version 13.0.5640, fixing a bug present in the previous version 13.0.5058.

Subsequently, gellin uploaded a POC for this vulnerability on GitHub, and the security information website ThreatPost reported on the situation.

However, at first glance, the vulnerability description and POC were difficult to understand. Therefore, this article conducted further testing, verified the POC, and drew conclusions.

POC:

https://github.com/gellin/TeamViewer_Permissions_Hook_V1

ThreatPost Report:

https://threatpost.com/teamviewer-rushes-fix-for-permissions-bug/129096/

0x01 Introduction

---

This article will cover the following:

  • POC Testing
  • Brief Analysis of the Principle
  • Exploitation Approach
  • Defense

0x02 POC Testing

---

1. Compile and generate DLL

The POC is developed in C++. When compiling with VS2012, the following bug occurs:

error C2784: 'std::_String_iterator<_Mystr> std::operator +(_String_iterator<_Mystr>::difference_type,std::_String_iterator<_Mystr>)': could not deduce template argument for 'std::_String_iterator<_Mystr>' from 'std::string'

Location of the bug:

https://github.com/gellin/TeamViewer_Permissions_Hook_V1/blob/master/TeamViewerHook_13_0_3711_88039/main.cpp#L25

The bug occurs because the author used a higher version of Visual Studio. Moreover, this code segment's function is output, so it can be ignored. The modified code is as follows:

console = new Console(std::string(BANNER), std::string("TeamViewer Permissions Hook v1"));

Compilation successful, generating TeamViewerHook_13_0_3711_88039.dll

2. Test environment setup

Host 1 (Server):

Operating System: Win8 x86

Install TeamViewer 13.0.5058

As the controlled end, ID is 543 847 147, password is 49s4eb

Host 2 (Client):

Operating System: Win8 x86

Install TeamViewer 13.0.5058

As the controlling end, used for remote connection to Host 1

3. Test Function A: Host 1 (Server) reverse controls Host 2 (Client)

Host 2 (Client) enters ID and password, successfully remotely connects to Host 1 (Server)

As shown in the figure below

Alt text

Note:

A normal function supported by TeamViewer: Host 2 (Client) selects Communication - Switch roles with partner control, can switch roles, allowing Host 1 (Server) to reverse control Host 2 (Client), as shown in the figure below

Alt text

First function of the POC: Achieve unauthorized reverse control of Host 2 (Client) by Host 1 (Server)

Process is as follows:

On Host 1 (Server), inject TeamViewerHook_13_0_3711_88039.dll into the TeamViewer process

APC injection can be used here, code reference:

an open-source project

Before DLL injection, click the session list on Host 1 (Server), as shown below

Alt text

Proceed with DLL injection, follow the prompt to press NUMPAD 1, select Host/Server, as shown below

Alt text

Click the session list on Host 1 (Server) again, the list is modified, as shown below

Alt text

Select 'Switch Roles' to enable Host 1 (Server) to control Host 2 (Client) in reverse

4. Test Function B: Host 2 (Client) unlocks mouse and keyboard

Similar to Test A, Host 2 (Client) enters ID and password, successfully establishes remote connection to Host 1 (Server)

Host 1 (Server) disables remote mouse control from Host 2 (Client) by configuring the session list, as shown below

Alt text

Under normal circumstances, Host 2 (Client) cannot use the mouse to remotely control Host 1 (Server)

Second function of the POC: Unauthorized unlocking of the mouse on Host 2 (Server) to remotely control Host 1 (Server)

Next, perform DLL injection. Follow the prompt to press NUMPAD 2 and select client, as shown below

Alt text

Successfully unlocked the mouse and remotely controlled Host 1 (Server), as shown below

Alt text

0x03 Brief Analysis of the Principle

---

Through DLL injection, search the memory of the target process, locate the pointer address representing permissions, reassign its value, and perform a naked inline hook to achieve permission modification

The modified memory structure is shown below

Alt text

For specific implementation methods, refer to the source code

0x04 Exploitation Ideas

---

1. Function A: Host 1 (Server) reverse-controlling Host 2 (Client)

If Host 1 (Server) successfully reverse-controls Host 2 (Client) through a vulnerability, by default, the desktop of Host 2 (Client) will display as being controlled

However, since DLL injection can modify the memory data of the TeamViewer process, it is also possible to control the desktop display content of Host 2 (Client) by altering memory data (e.g., black screen, normal screen (not recommended), etc.)

The publicly available POC does not implement the function to control the desktop display content of Host 2 (Client). Considering the severity of this vulnerability, this article will not detail the specific methods for converting POC to EXP.

2. Function B: Host 2 (Client) unlocks mouse and keyboard

The prerequisite for this function is that Host 2 (Client) has successfully established a remote connection to Host 1 (Server). It only takes effect when Host 1 (Server) chooses to disable the mouse of Host 2 (Client).

0x05 Defense Strategies

---

1. It is recommended that users upgrade to the new TeamViewer version 13.0.5640

Note:

As of the writing of this article, TeamViewer's official website has not yet released specific details about this upgrade version. The address is as follows:

https://www.teamviewer.com/en/download/changelog/

2. Do not connect to unknown TeamViewer servers arbitrarily

0x06 Summary

---

This article tests the POC for the privilege vulnerability in TeamViewer 13.0.5058, briefly introduces its principles and exploitation ideas, and provides defense recommendations.