How to protect yourselft against the RFI vulnerability in TeamSpeak

[Supervisor]

Update to 3.0.18.2 or newer


There are a few ways to protect yourself against this vulnerability.

• Sandbox
• a seperate Virtual machine only for TeamSpeak
• a restricted, seperate Windows user accont only for TeamSpeak (looks like it's not gonna work becuase Windows security is SHIT)
• checking your shell:startup directory every time before you shutdown your computer
• use the programm provided here to lock your autostart directory
• TeamSpeak updated this severe issue very fast. Version 3.0.18.1 is available on the TeamSpeak website. Link to the news thread here
  Keep in mind: a lot of users won't update within the next months if the hosting providers don't force them.

Of those three, running TeamSpeak in a Sandbox is the safest way, as the Autostart should not get executed in there (I hope I'm right about this..)

Another way is to use TeamSpeak in either a Linux Virtual Machine (safe), or a seperate, only for TeamSpeak used Windows Virtual machine. If you use the Windows one, they can still get your TeamSpeak idendities and stuff like that. (combine your idendities and your favorite servery, and they may get a Serveradmin access pretty easily)

The third way would be the easiest one to use, unfortunately I didn't make that work, yet.

The last way is to check your startup directory every time you shut down your computer. You'll have to remember every file wich belongs in there, if you see any file wich does not, could be a potential virus/maleware/...
Checking whether this file is a link, is not reliable, as the attacker could easily drop two files to your computer, the virus, and the link to the virus in the startup. So checking file size is not a good option.

 

[bl4uni]

Will the file or whatever got downloaded show in CCleaner? (Tools -> Autostart)

 

[Supervisor]

if CCleaner checks this directory: shell:startup (just type that into your windows explorer in the top bar), then it will be displayed, yes.

 

[bl4uni]

I just tested this and it does. It is also very easy to distinguish from the other entries because it says "Startup User" in "Key". But if I didn't missunderstood this whole thing, it's basically possible to download and execute any file? Couldn't that just be for example a RAT which writes itself in HKCU:Run?

 

[ehthe]

You could do anything. (After the autostart execution)

 

[Supervisor]

well, it cannot download and execute. The execution is a problem of windows - you basically have to download the file into the startup directory, then it will be executed the next time your windows starts up.

 

[bl4uni]

Okay, thank you for the information. As long as no other way is found for a file to execute itself, I will be on the safe side just checking my Autostart.

 

[Asphyxia]

We have been reviewing Windows security polices (groups/users). There is minimal room for patching this issue, to my knowledge. I figured on Windows you could just add a user account, then isolate access to the appropriate TeamSpeak %appdata% stuff and the Program Files folder. The more I research this, the more I believe it to be that Windows is incapable, as if Windows never finished their security policies project. Linux just works, Windows is broken. Sweep up the broken glass and throw it in the /root/.local/share/Trash.

It looks like our final option is to monitor the contents of the Startup folder to check for new items. In the event that there is a new item, perhaps automatically rename the file to attach ".insecure" at the end. This would protect you from an executable format being dropped in and run. If you ran this at the start of login/Windows, you would be much safer in my opinion. Anyone think I should make this?

 

[bl4uni]

Well, it would be a nice tool to have.

 

[Kaptan647]

Okay, thank you for the information. As long as no other way is found for a file to execute itself, I will be on the safe side just checking my Autostart.

yeah this will protect you from executions but it might be possible to overwrite any file and corrupt your files.I have to make more test about that

 

[Bluscream]

For Protection i would suggest using UltraVirusKiller

Another important recently added section is the System immunization. This feature effectively prevents changes to the most vulnerable registry keys and files, and can optionally prevent running files in specific directories. It doesn't replace an anti-virus software, but it's a fine lightweight complement

 

[bl4uni]

Teamspeak just fixed this, Ver. 3.0.18.1

I highly suggest doing this:

Alternatively (in case you don't use YatQa):

login username password
use 0 // default settings for virtual servers you create in the future
serveredit virtualserver_min_client_version=1444491275
use port=9987 // repeat this for all existing virtual servers
serveredit virtualserver_min_client_version=1444491275

Source:
http://forum.teamspeak.com/showthre...DATE-TeamSpeak-3-Client-3-0-18-1-is-Available

 

[Darksephiro]

Ns work from TS to fix RFI vulnerability