Affected Product: Teamviewer 12 Client for Windows PC
Credit: Souhardya Sardar and Rohit Bankoti
Contact : facebook.com/SouhardyaSardar.py
*Summary:*
Gom Player Installer contains a dll hijack vulnerability that could allow an
unauthenticated, remote attacker to execute arbitrary code on the targeted
system and gain elevated privileges. The vulnerability exists due to some
DLL file is loaded by 'TeamViewer.exe' improperly. And it allows an
attacker to load this DLL file of the attacker as choosing that could
execute arbitrary code without the user's knowledge.
*Tested on*: Windows 7 Ultimate 6.1.7601 Service Pack 1 Build 7601
*Impact:*
Attacker can exploit this vulnerability to load a DLL file of the
attacker's choosing that could execute arbitrary code. This may help
attacker to successfully exploit the system if user creates shell as a DLL.
POC :
# Vulnerable Library:
GPAPI.dll
Dir : C:\Program Files\TeamViewer
Create malicious DLL GPAPI.dll
Additionally Privilege Escalation can be done if the TeamViewer Client is running on Higher Privileges e.g NT\AUTHORITY