Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

nSense-2010-002: Teamspeak 2 Windows client
From: Henri Lindberg <henri+fulldisclosure () nsense fi>
Date: Thu, 28 Oct 2010 09:20:14 +0300

       nSense Vulnerability Research Security Advisory NSENSE-2010-002
       ---------------------------------------------------------------
                   t2'10 infosec conference special release
                               http://www.t2.fi
       ---------------------------------------------------------------

       Affected Vendor:    Teamspeak Systems GmbH
       Affected Product:   Teamspeak 2 version 2.0.32.60
       Platform:           Windows
       Impact:             Remote code execution
       Vendor response:    No patch. Upgrade to TS3
       Credit:             Jokaim / nSense

       Technical details
       ---------------------------------------------------------------

       The specific flaw exists within the TeamSpeak.exe module
       teardown procedure responsible for freeing dynamically
       allocated application handles.

       It is possible to corrupt this memory area by transmitting a
       voice transmission packet (0xf2) to the server. All clients
       receiving the voice transmission will have their memory
       corrupted. The resulting memory corruption leads to a overflow
       of values which are later used in a copy operation
       (during teardown).

       This can be leveraged to achieve remote code execution
       within the context of the user running the application.

       The following packet is provided as a Proof-of-Concept example:
       f2be000426ad7e00300000000001000a414141414141414141424141414141
       4141414141414141414141414141414141414100ff99414141424242424141
       414141414141414141

       Bytes 51 and onwards contain user controllable values for EAX
       and EDX. A weaponized exploit has been developed but will not
       be released to the public. See memory location 00401C72.

       Timeline:
       Jul 20th        Contacted CERT-FI vulncoord
       Jul 22nd        CERT-FI vulcoord responds,coordination started
       Aug 9th         Status update request sent to CERT-FI
       Aug 20th        CERT-FI informs that the vendor had suggested
                       posting the issue to their plic support
                       forum. Coordination continued.
       Aug 26th        Status update request sent to CERT-FI
       Aug 26th        CERT-FI responds
       Sep 23rd        Weaponized exploit ready and polished.
                       Information sent to CERT-FI
       Sep 28th        CERT-FI informs that vendor is not supporting
                       TS2, since 's a legacy version. Users are
                       instructed to upgrade to TS3.
       Oct 28th        Advisory published.

       A thank you to CERT-FI vulncoord for the coordination effort.


       http://www.nsense.fi                       http://www.nsense.dk



       $$s$$$$s.   ,s$$$$s   ,S$$$$$s.  $$s$$$$s.   ,s$$$$s   ,S$$$$$s.
       $$$  `$$$  ($$(       $$$  `$$$  $$$  `$$$  ($$(       $$$  `$$$
       $$$   $$$    `^$$s.   $$$$$$$$$  $$$   $$$    `^$$s.   $$$$$$$$$
       $$$   $$$       )$$)  $$$        $$$   $$$       )$$)  $$$
       $$$   $$$  ^$$$$$$7    `7$$$$$P  $$$   $$$  ^$$$$$$7   `7$$$$$P

                      D r i v e n   b y   t h e   c h a l l e n g e _

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • nSense-2010-002: Teamspeak 2 Windows client Henri Lindberg (Oct 28)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]