Hackers could gain control of other PCs in desktop sessions
TeamViewer has rushed out an emergency patch to fix a security flaw that could allow hackers to take over other machines during an active session.
According to researchers at Malwarebytes, Windows, Mac, and LinuxOS are all apparently affected by this bug, which was first revealed over on Reddit. TeamViewer acknowledge existence of the vulnerability after it was publicly disclosed.
Reddit user xpl0yt had warned that users should be careful. The user linked to a proof-of-concept (PoC) example of an injectable C++ DLL which uses the flaw to change TeamViewer permissions. In the PoC released by someone named Gellin, TeamViewer permissions can be modified by an injectable C++ DLL, which controls “naked inline hooking and direct memory modification to change TeamViewer permissions.”
The code can be used either on the client or server side. From the server end, the flaw enables extra menu item options on the right-side pop-up menu. Most useful so far to enable the “switch sides” feature, which is normally only active after you have already authenticated control with the client, and initiated a change of control/sides, according to the GitHub posting.
On the client side, the flaw allows for control of mouse with disregard to servers current control settings and permissions.
“Many tech support scammers make use of programs such as TeamViewer, but with this new technique they wouldn't have to first trick the victim into handing over control,” said researchers on a Malwarebytes blog post.
“While in theory a victim should know immediately if a scammer has gained unauthorised control over their system and kill off the session straight away, in practice it doesn't always pan out like that.”
In a statement from TeamViewer to SC Media UK, the firm's spokesperson said that “needs to be stressed that the impact of this exploit is limited”.
“Cyber-criminals could not just randomly attack any given TeamViewer installation. The exploit could only be applied after a legitimate TeamViewer session had been established; in other words: both parties needed to agree to join a legitimate TeamViewer session first and establish it. Additionally, users could end the TeamViewer session at any time to terminate the act,” the spokesperson said.
The company added that users should protect themselves by updating their software right away.
“The threat that comes with this potential exploit could be used in a typical tech support scam when scammers ask their victims to connect to the scammer's machine first. Allowing the scammer to control the connection without the victim's permission. It's important to remember that legitimate organisations never cold call users to warn them about computer issues, so just hang up if you receive a call like that. If you are worried about your computer, take the initiative and ask a trustworthy party to look at it,” the spokesperson said.
Javvad Malik, security advocate at AlienVault, told SC Media UK that this is a pretty significant bug, as it allows full control without needing permissions. “Given the chequered history of TeamViewer, organisations should consider alternative, more enterprise-friendly products,” he said. “In the interim, users should be sure to install patches and keep software up to date at all times.”
TeamViewer has emailed SC to respond to the comment in the last quote, issuing the following statement; "Calling TeamViewer's history 'chequered' is uncalled for. Our product is certainly abused by scammers. But so are other remote support solutions. In addition, we would like to emphasise that these abuse scenario's do not hinge upon a structural deficit. We acted immediately when the current vulnerability was brought to our attention and provided a hotfix one day later."