Approved TeamKilled - New TeamSpeak Crash

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
Video:

Download the PoC files: https://github.com/R4P3-Linux/TeamKilled

Crash character:

Vulnerability identifier courtesy of MITRE: CVE-2019-15502 [View the MITRE entry]

Code:
> [Suggested description]
> The
> TeamSpeak
> client 3.3.0 allows remote servers to trigger a crash via the 0xe2 0x81 0xa8 0xe2 0x81 0xa7
> byte sequence, aka Unicode characters U+2068 (FIRST STRONG ISOLATE)
> and U+2067 (RIGHT-TO-LEFT ISOLATE).

Also, a way to fuzz this would be to generate a list of ALL characters in for example Perl/Python going down the list of ALL unicode characters and just generate a big ass file filled with these characters. Or even generate a channel list by modifying the SQLite database - then launching the server.

Hold down the arrow key until your client crashes, as it tries loading in possible crash characters. Generate up, generate down, and even mix random chars in?

Here are some example unicode fuzzing lists:
https://www.lookout.net/2011/06/special-unicode-characters-for-error.html "Word Joiner U+2060 is an invisible zero-width character."
https://news.ycombinator.com/item?id=10035723 "People should also test what happens with isolated surrogate codepoints, such as U+D800. But these can't properly be encoded in UTF-8, so I guess don't put them in the BLNS. (If you put the fake UTF-8 for them in a file, the best thing for a program to do would be to give up on reading the file.)"
https://news.ycombinator.com/item?id=10035008 also shares "we had the EICAR string for testing but couldn't check it into source control because it triggered the AV"
https://github.com/fuzzdb-project/fuzzdb
https://stackoverflow.com/questions...-characters-utf8-encoding-string-manipulation (using Ruby to get the job done)
https://i.blackhat.com/asia-19/Fri-...cient-Approach-to-Fuzzing-Interpreters-wp.pdf "We have found several bugs in those components, for example ones that occurred during parsing unicode encoded characters in the program source code."
http://index-of.co.uk/Hacking-Coleccion/Open Source Fuzzing Tools.pdf (the free PDF of the above, much nicer) also other PDFs listed http://index-of.co.uk/Hacking-Coleccion/

That gets anyone started, for sure... but a few more anyway:
https://css-tricks.com/ordered-lists-unicode-symbols/ (dice for lists, hmm)

Long story short, yeah you could generate a database filled with a bunch of characters. From there, launch the database and see what happens as you load the characters into TeamSpeak.

One could possibly find another Qt crash character. You never know!
 
Last edited:

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
We have just confirmed that we have secured CVE-2019-15502 for this issue, thanks to MITRE! I listed Keviro is the main founder as I am unsure whomever else was involved. Surely if anyone else is involved in finding this, the founders could be updated.
 
Top