TeamViewer issues emergency fix for desktop access vulnerability

TeamViewer has issued an emergency patch to fix a bug which could allow attackers to gain control of other PCs when in desktop sessions.
The vulnerability first came to light on on Monday, when Reddit user xpl0yt told other Redditors to “be careful” after discovering the security flaw. The user linked to a proof-of-concept (PoC) example of an injectable C++ DLL which takes advantage of the bug to change TeamViewer permissions.
More security news
US says it doesn’t need secret court’s approval to ask for encryption backdoors
A giant botnet behind one million malware attacks a month just got shut down
A popular virtual keyboard app leaks 31 million users’ personal data
Android security alert: Google’s latest bulletin warns of 47 bugs, 10 critical
The GitHub PoC, uploaded by a user called gellin, describes how the PoC code, tested on TeamViewer x86 Version 13.0.5058, can be utilized to enable the “switch sides” feature that can give a user power over another system involved in a session, which should only be made possible when a user grants that permission manually.
By using naked inline hooking and direct memory modification, in addition, the PoC allows users to harness control of the mouse without paying any attention to control settings and permissions.
TeamViewer acknowledge the bug and pushed out a hotfix to resolve the problem on Tuesday.
Patches for macOS and Linux systems are expected to drop this week, as reported by ThreatPost. Fixes will be delivered automatically.
Speaking to the publication, gellin said both users must be authenticated before the bug can be exploited, and the PoC would need to be deployed using a code mapper or DLL injector.
“Once the code is injected into the process it’s programmed to modify the memory values within your own process that enables GUI elements that give you the options to switch control of the session,” gellin told the publication. “Once you’ve made the request to switch controls there are no additional check on the server-side before it grants you access.”
In November, TeamViewer announced the launch of TeamViewer 13 with improved remote connection features, reduced CPU loads and new native Linux client supplements.
Best gifts: Top tech gadgets of 2017
1 – 5 of 20
Previous and related coveragePayPal’s TIO Networks reveals data breach impacted 1.6 million users National Credit Federation leaked US citizen data through unsecured AWS bucket HP patches severe code execution bug in enterprise printers
Related Topics:

Security TV
建行各支行提高合规操作水平 认真部署安全评估达标工作
Data Management


网络安全法普法宣传 004《网络安全法》的突出亮点
派女服务员打前站的市委书记 有5000万财产说不清