Jump to content
Nytro

TeamSpeak Client <= 3.0.18.1 RFI, Directory Traversal to RCE

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted (edited)

Exploit Title: "PwnSpeak" a 0day Exploit for TeamSpeak Client <=

3.0.18.1 RFI/ to RCE

Date: 12/10/2015

Author: Scurippio <scurippio@anche.no> /?? (0x6FB30B11 my pgp keyid)

Vendor Homepage: https://www.teamspeak.com/

Application: TeamSpeak 3

Version: TeamSpeak3 Client 3.0.0 -?? 3.0.18.1

Platforms: Windows, Mac OS X and Linux

Exploitation: Remote

Risk : Very High

=========

The Bug

=========

The bug is a simple but Critical RFI(Remote File Inclusion), and in my

test case on "Windows" you can reach remote code execution.

By changing the channel description you can insert a %7Boption%7D bb tag with

malicious content.

There are a few problems with the image caching on disk.

1: There is no check on file extension.

2: There is no file renaming, and you can fake the extension so you can

create in the cache a malicious executable file like hta, scr, msi, pif,

vbs etc.

...

Link: http://www.securityfocus.com/archive/1/536738

Edited by Nytro

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...