""ET EXPLOIT TeamViewer .tvs iFrame Observed (CVE-2020-13699)""
SID: 2030668
Revision: 2
Class Type: attempted-admin
Metadata: attack_target Client_Endpoint, created_at 2020_08_10, cve CVE_2020_13699, deployment Perimeter, signature_severity Major, tag Teamviewer, updated_at 2020_08_10
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: $HTTP_PORTS
Destination Network: $HOME_NET
Destination Port: any
Flow: established,from_server
Contents:
-
Value: "<iframe|20|"
-
Value: "|20|src="
-
Value: "|3a 20|--play"
-
Value: ".tvs"
Within:
PCRE: "/^[\x22\x27]t(?:eamviewer(\d+|api)|v(c(hat|ontrol)|filetransfer|joinv|present|s(endfile|q(customer|support))|v(ideocall|pn))\d)/R"
Special Options:
-
file_data
-
fast_pattern