TeamSpeak 3.0.18.2 RFI/RCE - Possible(?)

[Pangea]

UPDATE TO BETA VERSION!

3.0.8.2 got an RFI, I did not manage to traversal(yet) but it executes perfectly.

 

[Kaptan647]

Sending you code with IMG is not a problem or traversal directory is not either. The biggest problem is file extention and i belive we cant do anything about it

 

[Phyx]

In order for anything to happen (with this vulnerability) we must:

• Get the code in the file, which is not very hard as you have come to find out.
• Get the file renamed to have a malicious extension like ".bat", ".exe", etc.
• Get the file into a directory to be executed, like the Startup directory.

With the file name being generated now, I am pretty sure it is patched --- the TeamSpeak developers rebuilt their caching system basically, with a focus on security. I will look into it some more although the R4P3 security team has already done some testing on it, it seems safe at this time.

 

[JayJax]

Sending you code with IMG is not a problem or traversal directory is not either. The biggest problem is file extention and i belive we cant do anything about it

We actualy cant do anything about it its something within the teamspeak client that has to be fixed.
So hardcoded stuff.

 

[Pangea]

We actualy cant do anything about it its something within the teamspeak client that has to be fixed.
So hardcoded stuff.

Hardcoded stuff has an unfortunate ability to break very easily.

 

[JayJax]

Hardcoded stuff has an unfortunate ability to break very easily.

.....?

 

[0day]

Hardcoded stuff has an unfortunate ability to break very easily.

You can't make an apple into a watermelon. If you could, then you probably never needed the apple.

 

[Pangea]

UPDATE TO BETA VERSION!

You can't make an apple into a watermelon. If you could, then you probably never needed the apple.

You're totaly correct! You can't make an apple into a watermelon.
I have no idea what kind of philosophy institute you're going to, but we're speaking about code and development.
Computers may be perfect, users are not. TS-developers are users, you may retain these metaphors

Nontheless, TS 3.0.8.2 IS STILL VULNURABLE.

Hint: image-image

 

[LayerISOModel]

So if someone find a way to bypass the file extension checker he could again infect people with his RCE on startup folder ?

 

[User_418]

Just to point a typo - 3.0.8.2 in thread name and your messages should be 3.0.18.2.

 

[Derp]

Please, Avoid making false statements on something you don't fully know

The 3.0.18.2 Caching System is not simply doing a File Extension check, It is completely hashing the ImageFile thus, definitively killing the RFI

There is not and won't be a second RFI (using the IMG bb tag vector)

That's all we know, for now

 

[Pangea]

Please, Avoid making false statements on something you don't fully know

The 3.0.18.2 Caching System is not simply doing a File Extension check, It is completely hashing the ImageFile thus, definitively killing the RFI

There is not and won't be a second RFI (using the IMG bb tag vector)

That's all we know, for now

I'll give you one hint, img-description-img (has nothing to do with the TS3 description)

 

[0day]

You're totaly correct! You can't make an apple into a watermelon.


Hint: image-image

Sometimes I just like randomly throwing semi related bits of philosophy out there to elicit a response lol.
Any-who, good luck on your research!