TeamViewer issues emergency fix for desktop access vulnerability

TeamViewer has issued an emergency patch to fix a bug which could allow attackers to gain control of other PCs when in desktop sessions.
The vulnerability first came to light on on Monday, when Reddit user xpl0yt told other Redditors to “be careful” after discovering the security flaw. The user linked to a proof-of-concept (PoC) example of an injectable C++ DLL which takes advantage of the bug to change TeamViewer permissions.
More security news
US says it doesn’t need secret court’s approval to ask for encryption backdoors
A giant botnet behind one million malware attacks a month just got shut down
A popular virtual keyboard app leaks 31 million users’ personal data
Android security alert: Google’s latest bulletin warns of 47 bugs, 10 critical
The GitHub PoC, uploaded by a user called gellin, describes how the PoC code, tested on TeamViewer x86 Version 13.0.5058, can be utilized to enable the “switch sides” feature that can give a user power over another system involved in a session, which should only be made possible when a user grants that permission manually.
By using naked inline hooking and direct memory modification, in addition, the PoC allows users to harness control of the mouse without paying any attention to control settings and permissions.
TeamViewer acknowledge the bug and pushed out a hotfix to resolve the problem on Tuesday.
Patches for macOS and Linux systems are expected to drop this week, as reported by ThreatPost. Fixes will be delivered automatically.
Speaking to the publication, gellin said both users must be authenticated before the bug can be exploited, and the PoC would need to be deployed using a code mapper or DLL injector.
“Once the code is injected into the process it’s programmed to modify the memory values within your own process that enables GUI elements that give you the options to switch control of the session,” gellin told the publication. “Once you’ve made the request to switch controls there are no additional check on the server-side before it grants you access.”
In November, TeamViewer announced the launch of TeamViewer 13 with improved remote connection features, reduced CPU loads and new native Linux client supplements.
Best gifts: Top tech gadgets of 2017
SEE FULL GALLERY
1 – 5 of 20
NEXT
PREV
Previous and related coveragePayPal’s TIO Networks reveals data breach impacted 1.6 million users National Credit Federation leaked US citizen data through unsecured AWS bucket HP patches severe code execution bug in enterprise printers
Related Topics:

公司应该制定信息管理相关制度和流程,规范管理信息采集、传输、交换、存储、备份、恢复和销毁等环节,加强重要数据信息控制和保护,保障信息的合法、合规使用。
Security TV
建行各支行提高合规操作水平 认真部署安全评估达标工作
Data Management
让这些移动设备的终端使用者能够拥有基本的移动设备和无线网络安全意识,可以帮助填补安全技术控管的空缺或薄弱之处。

猜您喜欢

一分钟快速了解基础信息安全理念
智能穿戴设备的安全议题探讨及建议
网络安全法普法宣传 004《网络安全法》的突出亮点
派女服务员打前站的市委书记 有5000万财产说不清
NGUOIVIET DATEME
黑客可以破解加密无线、建立假冒AP、使用ARP欺骗等等来发起中间人攻击,进而窃密和控制移动终端设备。小心啦!