Flaw in TeamViewer could let hackers steal your system password remotely

If you are using TeamViewer, make sure you’re running its latest version. The newest release includes a patch for the serious vulnerability which could allow attackers to steal your system password and eventually compromise it. More about CVE 2020-13699 vulnerability you can find below.

TeamViewer flaw in Windows app allows password-cracking

Popular remote-support software TeamViewer has patched a high-severity flaw (CVE-2020-13699, 8.8/10) in its desktop app for Windows. If exploited, the flaw could allow remote, unauthenticated attackers to execute code on users’ systems or crack their TeamViewer passwords.

The flaw stems from the Desktop for Windows app not properly quoting its custom uniform resource identifier (URI) handlers. Apps need to identify the URIs for the websites they will handle. But because handler applications can receive data from untrusted sources, the URI  values passed to the application may contain malicious data that attempts to exploit the app. In this specific case, values are not “quoted” by the app – meaning that TeamViewer will treat them as commands rather than as input values.

An attacker could embed a malicious iframe in a website with a crafted URL that would launch the TeamViewer Windows desktop client and force it to open a remote SMB share.

To initiate the attack, the attacker could simply persuade a victim with TeamViewer to click on a crafted URL in a website using watering-hole attacks techniques. 

After a victim’s TeamViewer app initiates the remote SMB share, Windows will then make the connection using NT LAN Manager (NTLM). NTLM uses an encrypted protocol to authenticate a user without transferring the user’s password. NTLM credentials are based on data obtained during the interactive logon process and consist of a domain name, a user name, and a one-way hash of the user’s password.

In this attack scenario, the NTLM request can then be relayed by attackers using a Responder toolkit. It captures SMB authentication sessions on an internal network and relays them to a target machine. This automatically grants attackers access to the victim’s machine. It also allows them to capture password hashes, which they can then crack via brute-force. 

Fortunately for users, the attack is difficult to perform and requires user interaction. 

TeamViewer versions prior to 15.8.3 are vulnerable, and the bug affects various versions of TeamViewer, including: teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1, tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1 and tvvpn1.

The issue is fixed in 8.0.258861, 9.0.258860, 10.0.258873, 11.0.258870, 12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3.


Find My Mobile with a flaw which leaves Samsung phones exposed to remote attacks

‘Find My Mobile’ is an Android pre-installed app that comes with most popular Samsung smartphones. Due to a string of severe security vulnerabilities remote attackers could track victims’ real-time location, monitor phone calls, and messages, and even delete data stored on the phone.

According to the researchers from the cybersecurity service provider Char49 the flaw can be easily exploited. And implications for the user can be extremely serious. From permanent denial of service via phone lock, complete data loss with a factory reset (SD card included), serious privacy implication via IMEI and location tracking to even call and SMS log access.

There were four different vulnerabilities in the app that could have been exploited by malicious actors – allowing among other things to carry on a man-in-the-disk attack. The flaw stems from the fact the app checks for the presence of a specific file on the device’s SD card (“/mnt/sdcard/fmm.prop”) in order to load a URL (“mg.URL”), thus allowing a rogue app to create this file that can be used by a bad actor to potentially hijack the communications with the server. By pointing the MG URL to an attacker-controlled server and forcing the registration, the attacker can get many details about the user: coarse location via the IP address, IMEI, device brand, API level, backup apps, and several other information.

Attackers make also use of an exploit chain that leverages two different unprotected broadcast receivers to redirect commands sent to Samsung’s servers from the Find My Mobile app to a different server that’s under the attacker’s control and execute malicious commands. The malicious server also forwards the request to the legitimate server and retrieves the response, but not before injecting its own commands in the server responses. This way, hackers could track the device’s location, grab call data and text messages for spying, lock the phone for ransom, and erase all data through a factory reset.

The flaws work on unpatched Samsung Galaxy S7, S8, and S9+ smartphones.  


ReVoLTE attack allows eavesdropping encrypted LTE calls

Researchers discovered the vulnerability in the Voice over LTE (VoLTE) protocol that can be used to break the encryption on 4G voice calls. But this is only one side of the problem. The attack is possible because mobile operators often use the same encryption key to secure multiple 4G voice calls that take place via the same base station (mobile cell tower).

Today, the latest version of mobile telephony standards is 4G – commonly referred to as Long Term Evolution (LTE). Voice over LTE (VoLTE) is one of the many protocols that make up the larger LTE/4G mobile standard. By default, the VoLTE standard supports encrypted calls. For each call, mobile operators must select an encryption key (called a stream cipher) to secure the call. Normally, the stream cipher should be unique for each call. Unfortunately, not all operators follow the 4G standard requirements.

How the ReVoLTE attack works

If an attacker can record a conversation between two 4G users using a vulnerable mobile tower, they can decrypt it at a later point. All an attacker has to do is place a call to one of the victims and record the conversation. The only catch is that the attacker has to place the call from the same vulnerable base station, in order to have its own call encrypted with the same/predictable encryption key. The longer the attacker [talks] to the victim, the more content of the previous conversation he or she [is] able to decrypt.

A demo of a typical ReVoLTE attack is available embedded below:

Researchers analyzed a random selection of base stations across Germany and said they found that 80% were using the same encryption key or a predictable one, exposing users to ReVoLTE attacks. They reported the issues to both German mobile operators and the GSMA body back in December 2019. German mobile operators appear to have fixed the issue, other telcos across the world are most likely vulnerable.

Details about the ReVoLTE attack are available on a dedicated website. There is also a scientific paper detailing the ReVoLTE attack available to download here.


Smart Lock vulnerability can give hackers full access to Wi-Fi network

August Smart lock Pro + Connect has a vulnerability that if exploited can provide threat actors full access to your Wi-Fi network. 

Packed with spiffy and innovative features, August Smart lock pro + connect allows users to control their home’s main door or elsewhere. This includes the owner to unlock/lock the door with just a tap, grant access to guests, and also supervise who enters or leaves their house amongst other features. But despite being one of the best sellers in the physical security context, August smart lock Pro + Connect falls invariably short.

The device in question cannot directly connect to the internet – whether wireless or wired – as it lacks the necessary hardware. So, when the user is within the range the lock can be controlled via Bluetooth Low Energy (BLE).

In order to manage it remotely (giving access to guests, receiving instant notifications and checking statuses) August smart lock pro + connect requires a connection to the user’s Wi-Fi network, The app forms a + Connect Wi-Fi bridge that establishes a link with the internet, imparting to and from commands by the user that controls the smart lock. To ensure connection the device is put into a setup mode that acts as an access point enabling a link with the smartphone.

Subsequently, the application then communicates the Wi-Fi login credentials to the smart lock. This communication is open (not encrypted) which makes it vulnerable to attack.

Bitdefender security researchers, who discovered the vulnerability contacted August last December. Despite continuous alerts, the flaw hasn’t been fixed yet. 


Do you have thirst for knowledge? There is ten more cybersecurity stories below

1. Vulnerabilities in Qualcomm Chips Expose Billions of Devices to Attacks (Security Week)
2. Office 365 will let you manage phishing simulation emails (Bleeping Computer)
3. Malicious Actor Controlled 23% of Tor Exit Nodes (Security Week)
4. Upgraded Agent Tesla malware steals passwords from browsers, VPNs (Bleeping Computer)
5. Google to Microsoft: Nice Windows 10 patch – but it’s incomplete (ZDNet)
6. Critical Intel Flaw Afflicts Several Motherboards, Server Systems, Compute Modules (ThreatPost)
7. The Quest to Liberate $300,000 of Bitcoin From an Old Zip File (Wired)
8. Dharma ransomware created a hacking toolkit to make cybercrime easy (Bleeping Computer)
9. Amazon Alexa ‘One-Click’ Attack Can Divulge Personal Data (ThreatPost)
10. Emotet Return Brings New Tactics & Evasion Techniques (Dark Reading)