TeamViewer Vulnerability – Improper Session Handling leading to Information Disclosure Advisory

Recently a vulnerability was identified and intimated to TeamViewer, where User Chat data is accessible even after logout/Delete Conversation within TeamViewer Windows desktop app.

Vulnerable Version: TeamViewer Windows Desktop app v14.3.4730

Platform: Windows

CVSS Score: 4.3

CVSS v3.0 Vector: AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Fix status: TeamViewer Claims it is fixed

Disclosure date: 03 July, 2019

Vulnerability Description: While using Chat functionality, it was observed that upon login to Teamviewer desktop application for Windows, it saved every communication within Windows main memory. However, while user logs out from account or deletes conversation history, under any such case the data would not be wiped from main memory.  Later on, anybody having access would be able to read the previously done chat with other peers by previously logged in user.

Exploitability Rational:  In order to exploit this the attacker needs to have Windows machine access (Admin/Limited user can exploit this vulnerability, depending upon by which Windows account privilege TeamViewer was launched). If someone has taken a remote connection, then they would also be able to read this chat, else user needs to have same user access on physical device. If user completely restarts machine or kills process from task manager then this data would be wiped off. However, if user simply clicks on close button, app  behaves in a way that it would just minimize instead of closing (due to which chat data would still be accessible).

Impact Rational: It would cause loss of data confidentiality, based on what conversation had been done with peer.

Steps to Reproduce:

1. Login as user1

2. Send message to user2

3. Sign out user1 from TeamViewer windows application

4. (Optional) Close TeamViewer by clicking cross from top right (do not exit TeamViewer from the menu bar, this kills the process).

5. Using Task manager / Process hacker2 dump memory.

6. You would notice that the text chat conversation could be retrieved from this memory dump.

Kartik Lalan