Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
 FAQ •  Search •  Register •  Login 
It is currently 16 Sep 2014 22:26

All times are UTC [ DST ]



Welcome
ARCHIVE-ONLY FORUM!


Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 8 posts ] 
Author Message
 Post subject: TeamSpeak 3 vulnerabilities
PostPosted: 16 Jun 2010 21:57 

Joined: 13 Aug 2007 21:44
Posts: 4071
Location: http://aluigi.org
server's terminations, crash and execution of some admin commands that allow to change various things on the server (password, maxclients and so on).
in my opinion it deserves to be read:
http://aluigi.org/adv/teamspeakrack-adv.txt

and obviously also the TeamSpeak 3 ServerQuery Manual needs to be read to understand better the bug about the execution of admin commands


Top
 Profile  
 
 
 Post subject: Re: TeamSpeak 3 vulnerabilities
PostPosted: 17 Jun 2010 08:49 

Joined: 13 Aug 2007 21:44
Posts: 4071
Location: http://aluigi.org
I would also like to add some informations about the process used for finding these vulnerabilities, maybe for who is interested in the researching of security bugs in general or just curiosity.

like any of my "sessions" it required almost one day (yeah I'm a slow guy) which includes the:
- reversing of the protocol (not yet finished because I worked on these bugs)
- a minimal understanding of how it's implemented and works (for example that thing of the packets-rate limitation from the same udp port)
- fuzzing with the testing of each command manually or automatical in reference to the ServerQuery manual and all the commands stored in the process
- writing of the proof-of-concept in real-time during the tests
- additional random tests and fuzzing
- testing of the vulnerabilities on a vanilla installation (another computer of mine) for their confirmation
- writing of the advisory

about the fix:
it's just a news of this moment that a beta25 version of the server will be released within 24 hours


Top
 Profile  
 
 Post subject: Re: TeamSpeak 3 vulnerabilities
PostPosted: 18 Jun 2010 09:12 

Joined: 09 Apr 2008 08:06
Posts: 66
Location: USA
I must say this exploit is by far one of the most amazing ones I've seen you find. You impress me btw aluigi just out of curiousity is there a syntax command for deleting all channels or finding out channel ID's/user ID's? I'm just not too sure I looked around couldnt find much. And how would I go about adding someone as admin if I wanted?


Top
 Profile  
 
 Post subject: Re: TeamSpeak 3 vulnerabilities
PostPosted: 18 Jun 2010 10:00 

Joined: 13 Aug 2007 21:44
Posts: 4071
Location: http://aluigi.org
for deleting all the channels I guess you can only use the brute forcing method like the one I used for some of the other tests available in my PoC.
if you can't recompile the PoC it's enough that you modify the executable with a hex editor, from:
Code:
clientkick clid=%d reasonid=5
to
Code:
channeldelete cid=%d force=1
remember aspace or a NULL byte to cover the last byte not covered by the new string ('5').

then you can test it with bug 8:
teamspeakrack 8 SERVER PORT

so this same method should be used for any other ID related operation because, as far as I know, there is no way to see the IDs through this vulnerability.

while for the question about adding someone as admin I guess you must refer to the ts3 ServerQuery Manual because I'm not an expert of ts3 administration which looks a complex thing (tokens, ids, blah)


Top
 Profile  
 
 Post subject: Re: TeamSpeak 3 vulnerabilities
PostPosted: 20 Jun 2010 23:51 

Joined: 09 Apr 2008 08:06
Posts: 66
Location: USA
ahhh great idea, worked like a charm aluigi. :D thanks, i'm amazed to how ignorant people are that own their own servers and dont even upgrade. It's in beta still so I mean wtf expect a shit ton of releases lol. Still a very good find on that exploit aluigi good work yet again.


Top
 Profile  
 
 Post subject: Re: TeamSpeak 3 vulnerabilities
PostPosted: 22 Jun 2010 00:31 

Joined: 01 Jun 2010 05:58
Posts: 18
I was on it to take a look at the ts3 protocol, but this... pew blow me away.
Im allways amazed how quick you can understand a protocol that is a:crypted b: you have never seen befor


Top
 Profile  
 
 Post subject: Re: TeamSpeak 3 vulnerabilities
PostPosted: 22 Jun 2010 14:34 

Joined: 22 Jun 2010 14:31
Posts: 1
It's patched with beta25 :)


Top
 Profile  
 
 Post subject: Re: TeamSpeak 3 vulnerabilities
PostPosted: 25 Jun 2010 11:49 

Joined: 09 Apr 2008 08:06
Posts: 66
Location: USA
already known but thanks for the input jeff, if no one had been a white knight it would've taken longer to fix probably but either way I give them props for taking very short time patching it... i just wish people were smart and would upgrade theres still vulnerable servers out there lol...


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 8 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
suspicion-preferred