While auditing the Teamspeak 3 server I've discovered several 0-day vulnerabilities which I'll describe in detail in this advisory. They exist in the newest version of the server, version 3.0.13. I found 10 vulnerabilities. Some of these are critical and allow remote code execution. For the average user, that means that these vulnerabilities can be exploited by a malicious attacker in order to take over any Teamspeak server, not only becoming serveradmin, but getting a shell on the affected machine. Here's the output of an exploit which uses two of the vulnerabilities: $ python exploit_teamspeak.py leaking distinct stack pointers '\xa2' '\x9a' '\x8a' . '_' .. '\xa0' got a ptr: 0x7fa29a8a5fa0 '\xa2' '\x9a' '\x9a' 'o' ... '\xa0' got a ptr: 0x7fa29a9a6fa0 '\xa2' '\x9a' '\xaa' . '\x7f' '\xa0' got a ptr: 0x7fa29aaa7fa0 stack ptr: 0x7fa29a8a5fa0 assumed stack base: 0x7fa29a5a5000 sleeping a bit to avoid flood detection....... initializing stack sprayers............ spraying the stacks............ doing some magic..... Got a shell from ('127.0.0.1', 38416) ts3@ts3:/home/ts3/teamspeak3-server$ I won't release the exploit anytime soon, but I will note that writing one is a great learning experience. Next I'll describe my findings. I'll be referring to function names. The Teamspeak developers strip their binaries of symbols, but they messed up once and forgot to do so. If you want to follow along at home, I'm sure your favorite search engine can help you find the non-stripped server binary. Now on to the vulns!
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment