0x00 Foreword
December 5, TeamViewer released a new version 13.0.5640, the previous version fixes 13.0.5058a bug in.
Subsequently, gellin on github uploaded the vulnerability of the POC, security information site ThreatPost been reported on this situation.
But at first glance, the vulnerability description and POC difficult to understand, then, this article it made further testing, verification POC, concluded
POC:
https://github.com/gellin/TeamViewer_Permissions_Hook_V1
ThreatPost reports:
https://threatpost.com/teamviewer-rushes-fix-for-permissions-bug/129096/
About 0x01
This article will cover the following:
- POC testing
- Principle brief analysis
- Use ideas
- defense
0x02 POC testing
1, compiled dll
It will appear the following bug when POC by c ++ development, using VS2012 compile them:
error C2784: "std :: _ String_iterator <_Mystr> std :: operator + (_ String_iterator <_Mystr> :: difference_type, std :: _ String_iterator <_Mystr>)": failed from "std :: string" to "std :: _ String_iterator <_Mystr> "deduce template argument
Location bug appears:
The reason is the emergence of Bug write the authors use a later version of Visual Studio, besides the function of this code is output can be ignored, the revised code is as follows:
console = new Console(std::string(BANNER), std::string("TeamViewer Permissions Hook v1"));
Compile successful, generating TeamViewerHook_13_0_3711_88039.dll
2, set up a test environment
Host 1 (Server):
OS: Win8 x86
Install TeamViewer 13.0.5058
As the control terminal, to 543,847,147 ID, password 49s4eb
Host 2 (Client):
OS: Win8 x86
Install TeamViewer 13.0.5058
As a control terminal for remote connection to the host 1
3, the test function A: Host 1 (Server) trans host controller 2 (Client)
Host 2 (Client) fill in ID and password, a successful remote connection to the host 1 (Server)
As shown below
Note:
TeamViewer supports a normal function: Host 2 (Client) selection 通信- 与伙伴切换角色控制can switch roles, allowing the host 1 (Server) that in turn controls the host 2 (Client), following FIG.
POC first function: 实现主机1(Server)未经授权,反过来控制主机2(Client)
Process is as follows:
On the host 1 (Server), will TeamViewerHook_13_0_3711_88039.dll injected into the process of TeamViewer
APC injection may be used herein, can refer to the code:
https://github.com/3gstudent/Inject-dll-by-APC/blob/master/test.cpp
Before dll injection, the host 1 (Server) Click conversation list, as shown below
Dll injection below, prompted to enter NUMPAD 1, select Host/Server, below < large column permission of vulnerability testing TeamViewer 13.0.5058 / p>
Click Host 1 (Server) again the session list, the list is modified, as shown below
Selected 切换角色, you can achieve the host 1 (Server) in turn controls the host 2 (Client)
4, the test function B: Host 2 (Client) to unlock the mouse and keyboard
With test A, host 2 (Client) fill in ID and password, a successful remote connection to the host 1 (Server)
主机1(Server)通过设置会话列表,禁止主机2(Client)的鼠标进行远程控制,如下图
正常情况下,主机2(Client)无法使用鼠标对主机1(Server)进行远程控制
POC的第二个功能: 实现主机2(Server)未经授权,解锁鼠标,远程控制主机1(Server)
下面进行dll注入,按照提示输入NUMPAD 2,选择client,如下图
成功解锁鼠标,远程控制主机1(Server),如下图
0x03 原理简要分析
通过dll注入,搜索目标进程的内存,找到代表权限的指针地址,重新赋值,进行naked inline hook,实现权限的修改
修改后的内存结构如下图
具体的实现方法可参照源代码
1、功能A: 主机1(Server)反控主机2(Client)
如果主机1(Server)通过漏洞成功反控主机2(Client),默认情况下,主机2(Client)的桌面会显示成被控制的状态
但是,既然通过dll注入能够修改TeamViewer进程的内存数据,那么也能够通过修改内存数据控制主机2(Client)的桌面显示内容(例如黑屏、正常屏幕(不推荐)等)
公开的POC未实现控制主机2(Client)桌面显示内容的功能,考虑到这个漏洞的危害,本文不会介绍POC转为EXP的具体方法
2、功能B: 主机2(Client)解锁鼠标键盘
利用前提为主机2(Client)已经成功远程连接主机1(Server),当主机1(Server)选择禁用主机2(Client)的鼠标时,该功能才会发挥作用
0x05 防御思路
1、建议用户升级TeamViewer新版本13.0.5640
注:
截止本文编写,TeamViewer官网尚未发布该升级版本的具体内容,地址如下:
https://www.teamviewer.com/en/download/changelog/
2、不要随意连接未知的TeamViewer服务器
0x06 小结
本文对TeamViewer 13.0.5058中的权限漏洞POC进行测试,简要介绍原理和利用思路,给出防御建议