The TeamViewer application is a well-known application and often used in corporate environments, making it an attractive target. SafeBreach Labs has discovered that TeamViewer version 14 attempts to load a missing DLL, which makes it vulnerable to attack if the missing DLL is replaced by a malicious file. The service it installs is also signed, run at startup and runs with SYSTEM level privilege–this makes it an extremely attractive target for attackers who already have access through a local administrator account and wish to escalate to SYSTEM and establish persistence. When the service starts, it attempts to load a missing “wshtcpip.dll” from the TeamViewer installation directory. Any user with administrative access could place a malicious DLL of the same name in its place. Each time the TeamViewer service starts, the malicious DLL would then be executed with the highest level of privileges and allowing full control over the victim machine. Although the real issue actually lies within Microsoft’s “mswsock.dll” file, TeamViewer was still able to work around the issue and offer an update to their customers.
TeamViewer released a patch on October 22nd. It is recommended to update as soon as possible. Not all employees need administrative access in corporate environments. Restricting which users have administrative access can limit the chances of success for more privileged attacks like this one by forcing an attacker to first find a way to gain administrative rights.