The problem is that it only used the filename of the DLL, instead of an absolute path. The library tried to load the mentioned DLL files using LoadLibraryExW without flags (which is identical to LoadLibraryW). Uncontrolled Search Path – The lack of safe DLL loading.No signature validation (or for that matter, any validation) was made against the DLL file which the service tried to load (i.e.There are two root causes for this vulnerability: Next, the ws2_32.dll library loads the mswsock.dll library, and after a few calls it gets to the SockLoadHelperDll function, which tries to load wshtcpip.dll using LoadLibraryExW: Once the service is loaded, it calls the WSAStringToAddressW WinAPI function (which causes the process to load the ws2_32.dll library, because this function is implemented there).
Our code was executed within TeamViewer_Service.exe Root Cause Analysis Using the CVE-2019-18196 vulnerability, we were able to load an arbitrary DLL file which was signed by TeamViewer GmbH and run as NT AUTHORITY\SYSTEM. The name of the process which loaded it.In order to test this vulnerability, we compiled an x86 unsigned arbitrary DLL which writes the following to the filename of a txt file: When the service is started, TeamViewer_Service.exe tries to load a missing DLL file: It runs as NT AUTHORITY\SYSTEM – the most privileged user account.This service automatically starts once the computer boots, which means that it’s a potential target for an attacker to be used as a persistence mechanism.The executable of the service is signed by TeamViewer and if the attacker finds a way to execute code within this process, it can be used as an application whitelisting bypass which can lead to security product evasion.In our exploration, we targeted the “TeamViewer 14” service. Part of the software runs as a service using NT AUTHORITY\SYSTEM permissions. TeamViewer is a proprietary software application for remote control, desktop sharing, online meetings, web conferencing and file transfer between computers. Note: In order to exploit this vulnerability the attacker needs to have Administrator privileges. This vulnerability may have allowed attackers to implant an arbitrary unsigned executable, executed by a signed service that runs as NT AUTHORITY\SYSTEM. We then demonstrate how this vulnerability could have been exploited by an attacker during a post-exploitation phase in order to achieve persistence and in some cases defense evasion. In this post, we describe the CVE-2019-18196 vulnerability we found in TeamViewer. SafeBreach Labs discovered a vulnerability in TeamViewer.
0 kommentar(er)
