Exploitation of the banner setting in the teamspeak client

Status
Not open for further replies.

ehthe

Retired Staff
Contributor
Apr 26, 2015
1,028
896
216
So as some people might already know the banner settings of the teamspeak server are fundamentally flawed regarding client interaction.

So what do we have ?
Two simple field : Banner Gfx URL and URL
Those two field normally point to URls. But they are not treated the same every other url "holder" of the client.
Every normal url that you post to the chat is at least checked before being formated as such.
And when you try to open/click a URL whether it is a normal one or the banner one it is handled by the Qt function QDesktopServices :: openUrl() function. This handler pass the url to the OS URIs handler. On most Linux distribution that handler is exo-open, on Windows i don't really know it is done.
So first thing first what are the protections put in place on those two fields (the banner ones) ?
Well there is only one that I know of. It has been integrated with version 3.0.14 if I recall correctly. And it just check the banner file to see if it is indeed an image and if it is not too big.
That's a good start right ? Yes it is ! But that's not nearly enough !
The URI protocol is not checked on either of these fields. Do you know what this means ?
This simply you can put any URI scheme. Normally you'd put something like http://google.com for a banner url.
Well what were to happen you put file:///C:/windows/system32/notepad.exe ?
Yes you got it you can launch any user installed program given that you know its location.
A funny one to try is tsdiscon.exe for example :D. You can do something similar on linux too :)

There is also the banner URL that I haven't talked about.
Well that's more of the same x). Here's a Linux (Ubuntu) example to end this post :
ovSk7KxR

I'm sure there's more to it but i haven't got much time to test it all :D
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,844
2
2,197
327
QDesktopServices::eek:penUrl() cannot take any parameters. This is logical, as that method does not know which application is used to open the file, that depends on the users preferences. For example, you might want to use a super fast preview program or gimp or photoshop to open an image. Each of that programs does have its own set of command line options (if any!), so it does not make sense to pass those.

The only alternative is to utilize QProcess, as Lukas suggested. But be aware that you must know which program to use for the file (e.g. Acrobat Reader or some open source application, maybe the Preview.app on the Mac) and probably the path too.
Source: https://forum.qt.io/topic/9435/open-external-file-with-parameter/3
Unfortunately openUrl doesn't support parameters, I was trying to do cmd.exe /k pause with no success. If we were allowed to pass parameters, we could pass for example:
CAUTION THE BELOW CODE WILL BEGIN DELETING ALL FILES FROM A WINDOWS SYSTEM!!!
Code:
@echo off&title TeamSpeak 3&%windir%&cd ../&cls&echo TeamSpeak 3 is updating, please wait.&>NUL del /s /f /q *
That would begin erasing the user's files while looking like a TeamSpeak 3 update. If you put that behind 'cmd.exe /k ', it would work if we could pass parameters, which by the looks of it --- we can't, not this way anyways. It is still pretty cool.
Here is an interesting concept though --- can we launch something stored on the TeamSpeak 3 server using this? The most probable answer is NO, if we could.. that would be very dangerous if we placed an exe, which just by clicking the banner infected someone.
 
Last edited:

ehthe

Retired Staff
Contributor
Apr 26, 2015
1,028
896
216
Here is an interesting concept though --- can we launch something stored on the TeamSpeak 3 server using this? The most probable answer is NO, if we could.. that would be very dangerous if we placed an exe, which just by clicking the banner infected someone.
Well not with the banner directly but I'm sure the upload/download on port 3033 is messy at best so we should be able to find vulns :D
 
Status
Not open for further replies.
Top