package_inst.exe TeamSpeak 3 Vulnerability 1

[Asphyxia]

This thread has been mirrored from: http://forum.teamspeak.com/threads/123400-Bug-in-package_inst-exe

Bug in package_inst.exe: Loading files from HTML tag img. Files placed in folder, from opening *.ts3_xxx file.

package.ini

Description = "<img src=\"facepalm.gif\"></img>"

Files listing in one folder:

file.ts3_addon
facepalm.gif​

In itself, reading the file in the same directory - bug.
In theory, we find a bug in qjpeg.dll or qgif.dll, force the user to download a infected file and .ts3_xxx file. The user starts the .ts3_xxx an administrator (start by default)... enter good worms.
Also, read any files prescribed in this tag.

Description = "<img src=\"c:\windows\system32\calc.exe"></img>"

Description = "<img src=\"c:\\windows\\system32\\calc.exe\"></img>"

No, only read.


even in a coin box, the code will not publish:
1. hang package_inst.eÑ…e
2. Disclosure ip, OS version, machine and user name

and error on unpack *.ts3_xxx: if archive not unpacked, program don't delete folder %TEMP%\ts3import\* on exit

 

[ehthe]

So that way you can use the __utm.gif and get analytics

 

[Asphyxia]

I would not be surprised if you could hijack someone's computer system using a package/plugin (easily so). TeamSpeak 3 is not safe.

 

[ehthe]

Well when you install a plugin you're already fucked (it's a freaking dll) so there's not much more you can do with this vuln xD

 

[Asphyxia]

It's just the principle --- TeamSpeak 3 is riddled with so many issues that are bizarrely dumb and I do not understand how they are all so overlooked.