Hotfix for TeamSpeak vulnerabilities [till 3.0.13] 1.0.0

[VJean]

Also the following has been reported to work:

i tested on my server working crash my server, but i added a line iptables, tools send length 315, i drop this packet on iptables and working for me
-A INPUT -p udp -m udp -j DROP --match length --length 300:350

I just did a quick Diff. So if you want to, you can fix your binaries yourself:

-A INPUT -p udp -m udp -m multiport --ports 9987:9997 -m length --length 300:400 -m string --hex-string "|545333494e495431|" --algo kmp -m comment --comment "TS3 sploit" -j LOG --log-prefix "TS3 sploit: " --log-level 4
-A INPUT -p udp -m udp -m multiport --ports 9987:9997 -m length --length 300:400 -m string --hex-string "|545333494e495431|" --algo kmp -m comment --comment "TS3 sploit" -j DROP

or

-I INPUT 5 -p udp -m udp -m multiport --ports 9987:9997 -m length --length 300:400 -m string --hex-string "|545333494e495431|" --algo kmp -m comment --comment "TS3 sploit" -j LOG --log-prefix "TS3 sploit: " --log-level 4
-I INPUT 6 -p udp -m udp -m multiport --ports 9987:9997 -m length --length 300:400 -m string --hex-string "|545333494e495431|" --algo kmp -m comment --comment "TS3 sploit" -j DROP

where 5,6 - number line rule.

 

[dedmen]

-A INPUT -p udp -m udp -m multiport --ports 9987:9997 -m length --length 300:400 -m string --hex-string "|545333494e495431|" --algo kmp -m comment --comment "TS3 sploit" -j LOG --log-prefix "TS3 sploit: " --log-level 4
-A INPUT -p udp -m udp -m multiport --ports 9987:9997 -m length --length 300:400 -m string --hex-string "|545333494e495431|" --algo kmp -m comment --comment "TS3 sploit" -j DROP

or

-I INPUT 5 -p udp -m udp -m multiport --ports 9987:9997 -m length --length 300:400 -m string --hex-string "|545333494e495431|" --algo kmp -m comment --comment "TS3 sploit" -j LOG --log-prefix "TS3 sploit: " --log-level 4
-I INPUT 6 -p udp -m udp -m multiport --ports 9987:9997 -m length --length 300:400 -m string --hex-string "|545333494e495431|" --algo kmp -m comment --comment "TS3 sploit" -j DROP

where 5,6 - number line rule.

Just so no one gets confused by that.. This is not a fix.. Its just a workaround.. We just have to change one line of code in our exploit to circumvent that

 

[MTGmati]

3.0.13 binary linux x64 working with emulator
Download: http://www55.zippyshare.com/v/fMVi5w4f/file.html
Scan: https://www.virustotal.com/pl/file/...8297723b38cb3a962273b6af/analysis/1471173095/

This is confirmed 100%?

 

[Przemekb88]

This is confirmed 100%?

I just replaced binaries downloaded from https://r4p3.net/threads/teamspeak-server-crack-3-0-13.2821/ with hex editor like in 1st post in this topic. So it should work.

 

[xImAvid]

This is confirmed 100%?

For me it's working

 

[xImAvid]

I just replaced binaries downloaded from https://r4p3.net/threads/teamspeak-server-crack-3-0-13.2821/ with hex editor like in 1st post in this topic. So it should work.

It is working thank you

 

[Gonçalo Santos]

can someone test the crash on my teamspeak?
ip: *REMOVED*
let me know if it worked or not pls

 

[Fls]

i tested on my server working crash my server, but i added a line iptables, tools send length 315, i drop this packet on iptables and working for me
-A INPUT -p udp -m udp -j DROP --match length --length 300:350

It works, but sinusbot if I have occupied enters but it goes dropped

http://prntscr.com/c5ojgc

Help me please

 

[BeHolder]

3.0.11.4 on Linux is safe now?

 

[dedmen]

3.0.11.4 on Linux is safe now?

No

 

[dedmen]

i tested on my server working crash my server, but i added a line iptables, tools send length 315, i drop this packet on iptables and working for me
-A INPUT -p udp -m udp -j DROP --match length --length 300:350

It works, but sinusbot if I have occupied enters but it goes dropped

http://prntscr.com/c5ojgc

Help me please

Thats because you are blocking valid packets... Our crasher is sending the same stuff as a normal teamspeak client.. If you are dropping that dont expect other clients to be fine...

 

[Fls]

Thats because you are blocking valid packets... Our crasher is sending the same stuff as a normal teamspeak client.. If you are dropping that dont expect other clients to be fine...

Local bot either of the bot second server are no problem
I need fix that please.

 

[NoXx]

Local bot either of the bot second server are no problem
I need fix that please.

Teamspeak released a new server version some minutes ago. Check their forums, it fixes the vulnerabilities.

 

[Mpsmith]

Teamspeak released a new server version some minutes ago. Check their forums, it fixes the vulnerabilities.

ok upgraded

 

[MTGmati]

I just replaced binaries downloaded from https://r4p3.net/threads/teamspeak-server-crack-3-0-13.2821/ with hex editor like in 1st post in this topic. So it should work.

And it will work on the emulator ?

 

[Radat]

ok upgraded

How do you cracked it?

 

[Mpsmith]

How do you cracked it?

You Can Find Patcher in VIP Zone

 

[Przemekb88]

And it will work on the emulator ?

Yes it works on emulator.

 

[Norvik]

How do you cracked it?

https://r4p3.net/threads/create-your-own-ts3-crack.77/

 

[markusmarkusz]

TeamSpeak 3.0.13.1 got removed.

My apologies guys, but we'll have to pull the latest 3.0.13.1 update as we've identified a reproducible crash related to ServerQuery logins.

If you've already updated to 3.0.13.1, we strongly recommend that you either block access to the ServerQuery interface or downgrade to version 3.0.13until our dev team has fixed the issue.

http://forum.teamspeak.com/threads/126508-0-day-vulnerabilities-in-server-3-0-13?p=434111#post434111