15 Mar 2020

TeamViewer is a popular program for remote desktop connection. Therefore, we are quite interested to see how this program stores passwords. In short, all passwords are stored in the Windows registry in encrypted form. For encryption, the AES-128-CBC algorithm and the secret key 0602000000a400005253413100040000 are used. This method of saving passwords and the associated privilege escalation was officially registered on February 7, 2020, as the vulnerability CVE-2019-18988 (this vulnerability applies to all versions of TeamViewer up to and including 07/14/1965).

The novice security specialist who unveiled this vulnerability stumbled upon this vulnerability by accident. He says that he worked for the client and during the backup, he noticed TeamViewer registry keys called OptionsPasswordAES and SecurityPasswordAES. Subsequently, he became interested in what these keys were and how TeamViewer stores passwords in general. He imported them to a fresh system in a virtual machine and launched the BulletPassView scanner, which collects passwords in the system. The scanner gave TeamViewer password in plain text.

BulletPassView Scan Results
BulletPassView Scan Results

Then, the specialist searched for this password in RAM using the Cheat Engine program (for hacking games under Windows) - and found it again in plain text. Later it turned out that this vulnerability was already known two years ago as CVE-2018-14333. Then the guy decided to check from where the TeamViewer client gets the key: from the server or the localhost. It turned out that there is no network traffic, but there is still a password in the memory. The reverse engineering of TeamViewer binary code using IDA Pro, API Monitor, procdump and Frida took a few weeks for him, but it didn’t give any positive result, although the guy mastered several new tools along the way, so the process cannot be called useless.

While searching for information, he found out that a lot of people were already wondering how to find AES keys for Unity games in the resources. It turned out that this is a very simple process, for which it is enough to use a debugger. Six hours later, he found the TeamViewer code snippet responsible for AES encryption.

=================================================
"ServerPasswordAES"=hex:88,44,d7,0a,b2,96,2a,3d,63,16,3c,ff,e4,15,04,fb
=================================================
Takes 8844d70ab2962a3d63163cffe41504fb into xmm0
Takes 5B659253E5E873D26723B7D5EAC06E3B into xmm1
pxor xmm0, xmm1
movdqa xmmword ptr ds:[eax],xmm0
[eax] = D3214559577E59EF04358B2A0ED56AC0

movdqa xmm1,xmmword ptr ds:[esi] | [esi] = 25C8C8BD4298BB32A57EECBDBD045BBB
movdqa xmm0,xmmword ptr ds:[eax] | [eax] = D3214559577E59EF04358B2A0ED56AC0
aesdec xmm0,xmm1 | One round of an AES decryption, using Equivalent Inverse Cipher, 128-bit data (state) from xmm1 with 128-bit round key from xmm2/m128; store the result in xmm1.
movdqa xmmword ptr ds:[eax],xmm0 | [eax] = 6F AA 98 76 DE 11 7D 8D 7E B6 EE 61 2D 3D 15 52
movdqa xmm1,xmmword ptr ds:[esi+10] | [esi+10]=[008FDE10]=79 DC 78 A6 67 50 73 8F E7 E6 57 8F 18 7A B7 06
add esi,20 |
dec ecx | ecx = 3
aesdec xmm0,xmm1 | do the actual decryption
movdqa xmmword ptr ds:[eax],xmm0 | [eax]=[008FDC90]=E3 58 26 46 A7 37 12 40 85 1C C0 43 7D 1F 1E 30

Three more rounds of aesdec then
aesdeclast xmm0, xmm1 .| Last round of AES decryption, using Equivalent Inverse Cipher, 128-bit data (state) from xmm2 with a 128-bit round key from xmm3/m128; store the result in xmm1.

008FDC90 01 00 01 00 67 24 4F 43 6E 67 62 F2 5E A8 D7 04 ....g$OCngbò^¨×.

This code takes a few bytes of ServerPasswordAES from the registry and decrypts them using the key obtained by XOR with the prescribed values esi and eax. As a result, the key is 0602000000a400005253413100040000, and the value of IV equals 0100010067244F436E6762F25EA8D704.

In TeamViewer 14, the new scripting engine allows you to escalate privileges to NT AUTHORITY\SYSTEM by reading the TeamViewer password in the registry with user rights.

You can also decrypt some other passwords if you google [SecurityPasswordAES], [OptionsPasswordAES], [SecurityPasswordExported] or [PermanentPassword] with the search parameter [filetype: reg].

TeamViewer closed this vulnerability in recent versions. How the program encrypts passwords now, we have not figured it out yet.

Copyright © 2017-2020 LostMyPass.com

Top