- Apr 26, 2015
- 1,029
- 896
- 216
So as some people might already know the banner settings of the teamspeak server are fundamentally flawed regarding client interaction.
So what do we have ?
Two simple field : Banner Gfx URL and URL
Those two field normally point to URls. But they are not treated the same every other url "holder" of the client.
Every normal url that you post to the chat is at least checked before being formated as such.
And when you try to open/click a URL whether it is a normal one or the banner one it is handled by the Qt function QDesktopServices :: openUrl() function. This handler pass the url to the OS URIs handler. On most Linux distribution that handler is exo-open, on Windows i don't really know it is done.
So first thing first what are the protections put in place on those two fields (the banner ones) ?
Well there is only one that I know of. It has been integrated with version 3.0.14 if I recall correctly. And it just check the banner file to see if it is indeed an image and if it is not too big.
That's a good start right ? Yes it is ! But that's not nearly enough !
The URI protocol is not checked on either of these fields. Do you know what this means ?
This simply you can put any URI scheme. Normally you'd put something like http://google.com for a banner url.
Well what were to happen you put file:///C:/windows/system32/notepad.exe ?
Yes you got it you can launch any user installed program given that you know its location.
A funny one to try is tsdiscon.exe for example
. You can do something similar on linux too
There is also the banner URL that I haven't talked about.
Well that's more of the same x). Here's a Linux (Ubuntu) example to end this post :
I'm sure there's more to it but i haven't got much time to test it all
So what do we have ?
Two simple field : Banner Gfx URL and URL
Those two field normally point to URls. But they are not treated the same every other url "holder" of the client.
Every normal url that you post to the chat is at least checked before being formated as such.
And when you try to open/click a URL whether it is a normal one or the banner one it is handled by the Qt function QDesktopServices :: openUrl() function. This handler pass the url to the OS URIs handler. On most Linux distribution that handler is exo-open, on Windows i don't really know it is done.
So first thing first what are the protections put in place on those two fields (the banner ones) ?
Well there is only one that I know of. It has been integrated with version 3.0.14 if I recall correctly. And it just check the banner file to see if it is indeed an image and if it is not too big.
That's a good start right ? Yes it is ! But that's not nearly enough !
The URI protocol is not checked on either of these fields. Do you know what this means ?
This simply you can put any URI scheme. Normally you'd put something like http://google.com for a banner url.
Well what were to happen you put file:///C:/windows/system32/notepad.exe ?
Yes you got it you can launch any user installed program given that you know its location.
A funny one to try is tsdiscon.exe for example
. You can do something similar on linux too There is also the banner URL that I haven't talked about.
Well that's more of the same x). Here's a Linux (Ubuntu) example to end this post :
I'm sure there's more to it but i haven't got much time to test it all
