TeamSpeak 3.0.18.2 RFI/RCE - Possible(?)

Pangea

Member
Oct 26, 2015
12
4
35
UPDATE TO BETA VERSION!

3.0.8.2 got an RFI, I did not manage to traversal(yet) but it executes perfectly.
 
Last edited:

Kaptan647

Retired Staff
Contributor
Apr 25, 2015
314
395
112
Sending you code with IMG is not a problem or traversal directory is not either. The biggest problem is file extention and i belive we cant do anything about it
 

Phyx

Member
Oct 21, 2015
33
27
53
In order for anything to happen (with this vulnerability) we must:
  • Get the code in the file, which is not very hard as you have come to find out.
  • Get the file renamed to have a malicious extension like ".bat", ".exe", etc.
  • Get the file into a directory to be executed, like the Startup directory.
With the file name being generated now, I am pretty sure it is patched --- the TeamSpeak developers rebuilt their caching system basically, with a focus on security. I will look into it some more although the R4P3 security team has already done some testing on it, it seems safe at this time. :cool:
 

JayJax

Active Member
Apr 28, 2015
204
109
88
Sending you code with IMG is not a problem or traversal directory is not either. The biggest problem is file extention and i belive we cant do anything about it

We actualy cant do anything about it its something within the teamspeak client that has to be fixed.
So hardcoded stuff.
 

Pangea

Member
Oct 26, 2015
12
4
35
We actualy cant do anything about it its something within the teamspeak client that has to be fixed.
So hardcoded stuff.
Hardcoded stuff has an unfortunate ability to break very easily.
 

Pangea

Member
Oct 26, 2015
12
4
35
UPDATE TO BETA VERSION!
You can't make an apple into a watermelon. If you could, then you probably never needed the apple.
You're totaly correct! You can't make an apple into a watermelon.
I have no idea what kind of philosophy institute you're going to, but we're speaking about code and development.
Computers may be perfect, users are not. TS-developers are users, you may retain these metaphors

Nontheless, TS 3.0.8.2 IS STILL VULNURABLE.

Hint: image-image
 

LayerISOModel

Restricted
Oct 29, 2015
4
0
33
So if someone find a way to bypass the file extension checker he could again infect people with his RCE on startup folder ?
 
U

User_418

Just to point a typo - 3.0.8.2 in thread name and your messages should be 3.0.18.2.
 

Derp

Retired Staff
Contributor
Apr 30, 2015
933
1,014
217
Please, Avoid making false statements on something you don't fully know

The 3.0.18.2 Caching System is not simply doing a File Extension check, It is completely hashing the ImageFile thus, definitively killing the RFI

There is not and won't be a second RFI (using the IMG bb tag vector)

That's all we know, for now
 

Pangea

Member
Oct 26, 2015
12
4
35
Please, Avoid making false statements on something you don't fully know

The 3.0.18.2 Caching System is not simply doing a File Extension check, It is completely hashing the ImageFile thus, definitively killing the RFI

There is not and won't be a second RFI (using the IMG bb tag vector)

That's all we know, for now

I'll give you one hint, img-description-img :) (has nothing to do with the TS3 description)
 
Top