To elaborate on ewanm89's post, TeamViewer does use UDP pinholeing.
UDP is a stateless protocol. This means packets are fired off at their target with no verification (at the protocol level) that they were received or even reached the destination. Firewalls are designed to look for UDP packets and record the source and destination as well as the timestamp. If they see an inbound packet that matches an outbound packet they will generally allow the packet through even without a specific rule being placed in the firewall's access list. This can be locked down on enterprise grade devices, but in general 90% of the firewalls out there will allow return traffic.
In order to pin hole your machine (viewer) has a TCP connection back to the main TeamViewer server. The target machine (client) also has a TCP connection to the main TeamViewer Server. When you hit connect your machine tells the main server its intention. The main server then gives you the IP address of the client machine. Your machine then begins firing UDP packets at the client. The client is signaled that you intend to connect and is given your IP. The client also starts firing UDP packets at you.
If the firewalls are "P2P-friendly", this causes both firewalls (yours and the client's) to allow the traffic, thus "punching holes" in the firewall. Specifically, this requires the firewalls to not change the public port of an outbound packet merely because its destination has changed; the firewall must reuse the same public port as long as the source of the packet hasn't changed. If your firewalls don't behave in such a friendly manner, then this won't work. Many firewalls do behave this way, though.
Of course TeamViewer adds some security by doing a pin/password check before the main server sends the IP info to both parties but you get the idea.