TeamViewer Windows Client (v11 to v14) - DLL Preloading and Potential Abuses (CVE-2019-18196)
SafeBreach Labs discovered a vulnerability in TeamViewer.
In this post, we describe the CVE-2019-18196 vulnerability we found in TeamViewer.
We then demonstrate how this vulnerability could have been exploited by an attacker during a post-exploitation phase in order to achieve persistence and in some cases defense evasion. This vulnerability may have allowed attackers to implant an arbitrary unsigned executable, executed by a signed service that runs as NT AUTHORITY\SYSTEM.
Note: In order to exploit this vulnerability the attacker needs to have Administrator privileges.
TeamViewer is a proprietary software application for remote control, desktop sharing, online meetings, web conferencing and file transfer between computers.
Part of the software runs as a service using NT AUTHORITY\SYSTEM permissions.
In our exploration, we targeted the “TeamViewer 14” service. I seemed interesting because:
When the service is started,
TeamViewer_Service.exe tries to load a missing DLL file:
In order to test this vulnerability, we compiled an x86 unsigned arbitrary DLL which writes the following to the filename of a txt file:
Using the CVE-2019-18196 vulnerability, we were able to load an arbitrary DLL file which was signed by TeamViewer GmbH and run as NT AUTHORITY\SYSTEM. Our code was executed within
Once the service is loaded, it calls the WSAStringToAddressW WinAPI function (which causes the process to load the
ws2_32.dll library, because this function is implemented there).
ws2_32.dll library loads the
mswsock.dll library, and after a few calls it gets to the SockLoadHelperDll function, which tries to load
wshtcpip.dll using LoadLibraryExW:
There are two root causes for this vulnerability:
Although this issue is caused by Microsoft’s DLL library
), there are a few actions that TeamViewer can do in order to remediate this issue, including
verifying the signature and loading the real
mswsock.dll from SysWOW64 before the Microsoft component loads it.
Below we show two possible ways that an attacker could have leveraged these vulnerabilities which we discovered and documented above.
The vulnerability give attackers the ability to load and execute malicious payloads within the context of TeamViewer GmbH’s signed process. This ability might be abused by an attacker for different purposes such as execution and defense evasion, for example: Application Whitelisting Bypass.
The vulnerability gives an attacker the ability to load and execute malicious payloads in a persistent way, each time the service is loaded. That means that once the attacker drops a malicious DLL, the service will load the malicious code each time it is restarted.
TeamViewer 11 (Windows Client) up to 11.0.133222
TeamViewer 12 (Windows Client) up to 12.0.181268
TeamViewer 13 (Windows Client) up to 13.2.36215
TeamViewer 14 (Windows Client) up to 14.6.4835
July 23rd, 2019 - SafeBreach reported the vulnerability to TeamViewer.
Aug 20th, 2019 - TeamViewer confirmed the vulnerability. TeamViewer said they will report the issue to Microsoft because the root cause is in Microsoft’s component, and will get back to us with Microsoft’s answer.
Oct 7th, 2019 - TeamViewer said that Microsoft’s answer was that they do not intend to fix the issue, at least not in the short term and that they recommend developers to mitigate the issue themselves.
TeamViewer asked to delay our publication by 1-2 weeks so they can release a fix for all affected versions.
Oct 22nd, 2019 - TeamViewer provided us with the affected versions, released a patch to the customers and issued CVE-2019-18196. They asked to delay the publication by a week in order to provide customers with time to get patched up in advance.
Oct 22nd, 2019 - SafeBreach agreed to delay the publication.
Oct 22nd, 2019 - TeamViewer released a security bulletin .