CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 3CVE-2019-18988 – TeamViewer Desktop Bypass Remote Login Vulnerability
https://notcve.org/view.php?id=CVE-2019-18988
TeamViewer Desktop through 14.7.1965 allows a bypass of remote-login access control because the same key is used for different customers' installations. It used a shared AES key for all installations since at least as far back as v7.0.43148, and used it for at least OptionsPasswordAES in the current version of the product. If an attacker were to know this key, they could decrypt protect information stored in the registry or configuration files of TeamViewer. With versions before v9.x , this allowed for attackers to decrypt the Unattended Access password to the system (which allows for remote login to the system as well as headless file browsing). The latest version still uses the same key for OptionPasswordAES but appears to have changed how the Unattended Access password is stored. • https://github.com/mr-r3b00t/CVE-2019-18988 https://github.com/reversebrain/CVE-2019-18988 https://community.teamviewer.com/t5/Announcements/Specification-on-CVE-2019-18988/td-p/82264 https://community.teamviewer.com/t5/Knowledge-Base/tkb-p/Knowledgebase?threadtype=label&labels=Security https://twitter.com/Blurbdust/status/1224212682594770946?s=20 https://whynotsecurity.com/blog/teamviewer - • CWE-521: Weak Password Requirements •
CVSS: 6.9EPSS: 0%CPEs: 5EXPL: 0CVE-2019-18196
https://notcve.org/view.php?id=CVE-2019-18196
A DLL side loading vulnerability in the Windows Service in TeamViewer versions up to 11.0.133222 (fixed in 11.0.214397), 12.0.181268 (fixed in 12.0.214399), 13.2.36215 (fixed in 13.2.36216), and 14.6.4835 (fixed in 14.7.1965) on Windows could allow an attacker to perform code execution on a target system via a service restart where the DLL was previously installed with administrative privileges. Exploitation requires that an attacker be able to create a new file in the TeamViewer application directory; directory permissions restrict that by default. Una vulnerabilidad de carga lateral de DLL en el Windows Service en TeamViewer versiones hasta 11.0.133222 (corregido en 11.0.214397), 12.0.181268 (corregido en 12.0.214399), 13.2.36215 (corregido en 13.2.36216) y 14.6.4835 (corregido en 14.7.1965) sobre Windows, podría permitir a un atacante llevar a cabo la ejecución de código en un sistema de destino mediante un reinicio del servicio donde la DLL fue instalada previamente con privilegios administrativos. La explotación requiere que un atacante sea capaz de crear un nuevo archivo en el directorio de la aplicación TeamViewer; los permisos de directorio restringen eso por defecto. • https://community.teamviewer.com/t5/Announcements/Security-bulletin-CVE-2019-18196/td-p/74564 https://safebreach.com/Post/TeamViewer-Windows-Client-v11-to-v14-DLL-Preloading-and-Potential-Abuses-CVE-2019-18196 • CWE-426: Untrusted Search Path •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-14333
https://notcve.org/view.php?id=CVE-2018-14333
TeamViewer through 13.1.1548 stores a password in Unicode format within TeamViewer.exe process memory between "[00 88] and "[00 00 00]" delimiters, which might make it easier for attackers to obtain sensitive information by leveraging an unattended workstation on which TeamViewer has disconnected but remains running. TeamViewer hasta la versión 13.1.1548 almacena una contraseña en formato Unicode en la memoria del proceso TeamViewer.exe entre los delimitadores "[00 88]" y "[00 00 00]", lo que podría facilitar que los atacantes obtengan información sensible aprovechando una estación de trabajo sin atender en la que TeamViewer se ha desconectado, pero sigue en ejecución. • https://github.com/vah13/extractTVpasswords • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.3EPSS: 2%CPEs: 5EXPL: 2CVE-2010-3128 – TeamViewer 5.0.8703 - 'dwmapi.dll' DLL Hijacking
https://notcve.org/view.php?id=CVE-2010-3128
Untrusted search path vulnerability in TeamViewer 5.0.8703 and earlier allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the same folder as a .tvs or .tvc file. Vulnerabilidad de ruta de búsqueda no confiable en TeamViewer v5.0.8703 y anteriores permite a usuarios locales, y puede que atacantes remotos, ejecutar código de su elección y producir un ataque de secuestro de DLL, a través de un troyano dwmapi.dll que está ubicado en la misma carpeta que un fichero .tvs o .tvc. • https://www.exploit-db.com/exploits/14734 http://secunia.com/advisories/41112 http://www.exploit-db.com/exploits/14734 http://www.securityfocus.com/archive/1/513317/100/0/threaded http://www.vupen.com/english/advisories/2010/2174 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6773 •