R4P3 TeamSpeak Server Crash [ till 3.0.12.4-Beta 1 ]

Status
Not open for further replies.

Supervisor

Administrator
Apr 27, 2015
1,863
2,546
335
Now a little bit of storry first:
We contacted TeamSpeak on 2/March that we did find a new vulnerability in TeamSpeak Server 3.0.12.2. Since they released 3.0.12.3 today, they might think they're secure. Well, as you can see below... they are really not.
We will release the exploit in about one week if TeamSpeak doesnt reply to our Email. (Only reply, not fixing anyting). Seems fair to me.

So here you've got the PoC video for version 3.0.12.3, released today (4/March/2016). The video only shows 3.0.12.3, but it also works for all versions below 3.0.12.3

Credits go to: @Kaptan647 @Derp @ehthe @Asphyxia @Supervisor


/Update: TeamSpeak did reply to us, so we might not release the exploit in one week. We'll see.

/Update2:
The priority of security for TeamSpeak software has been addressed with the utmost importance and has now been recegnized by TeamSpeak and the R4P3 staff. As the R4P3 staff we feel it's in the best interest for the security of teamspeak software to not publicly disclose the informations as of right now.
 
Last edited:

Bluscream

Retired Staff
Contributor
May 8, 2015
967
934
211
Before:

After:
bf4e3dab0829e5cb2363d647a8d59232.png
 
Last edited:

Bluscream

Retired Staff
Contributor
May 8, 2015
967
934
211
Changelog said:
=== Server Release 3.0.12.3 4 march 2016
- fixed an other server crashes on malicious input

=== Server Release 3.0.12.2 15 feb 2016
- fixed more server crashes on malicious input
- reduced memory use

=== Server Release 3.0.12.1 9 feb 2016
- fix 2 server crashes on malicious input
- fixed file stat bugs on windows xp
- fixed logview command returning utf8 byte order mark

=== Server Release 3.0.12 26 jan 2016
+ added "virtualserver_min_android_version" and "virtualserver_min_ios_version" to specifically
set the minimal allowed client versions for android and ios on the server.
+ added "-mapping" to the serversnapshotdeploy command. This optional parameters will add a mapping
of the old and new channelid's in the return
+ Grouped several SQL queries together into one statement which improves performance
- fixed clientdbfind command returning false entries
- fixed some hangs after heavy network io on linux/freebsd/osx
- fixed issue with clientinfo command
- fixed crash when (automatically) deleting a channel
- fixed tsdnsserver libc++ issue on Linux
* The server will now print a warning if the locale is set to "C"
* Replaced Server query manual pdf file with a html version
* Unsigned variables (client/server/instance etc) now only accept positive values and -1 (synonym
for maximum value). Other negative values result in conversion error.

* Serverquery manual fixes
* Made a small change to the way the server handles the initialization protocol
! Removed "virtualserver_max_upload_total_bandwidth" and
"virtualserver_max_download_total_bandwidth" from the server template if the value was "-1"
! The server binaries file names now do NOT have the platform suffixes any more. They are all
called "ts3server"
! The OSX version is now 64 bit only. OSX 10.7 is now the minimum supported version.
! Some SQL queries changed or added. If you use custom SQL queries, please take note of this.
! The minimum supported FreeBSD version for the server is 10.1 from now on. Release 3.0.13 (next)
will need a libc++ from ports/pkg or FreeBSD 10.2.
Last 4 updates are R4P3 related hahaha :DDD
 
Status
Not open for further replies.
Top