TeamSpeak 3 RFI RCE Directory Traversal vulnerability / exploit

[Bodiga]

That's something I already talked about

Once Again, that post is not demonstrating anything, It's just saying, Hey "Scurippio's exploit is working"
And this is not what we are talking about, We know it's working, We are talking about the "INFO" he provided

The Way the ImageFetcher works, the way the Rewrite module gets implemented to make the exploit work

None of the two is being mentioned in that post.

Edit: This conversation is getting too far, I won't respond to any further responses in this thread,
As I said in the earlier posts, I invite Scurippio to register on the forums and start a private conversation

-Derp

I have already sended an email to the author... but I'm not so interested to deceive him in any way! , the exploit works like a charms, i have posted you that

btw. any publication on bugtraq and packetstorm are already verifyed

https://packetstormsecurity.com/files/134050/TS3Client-3.0-3.0.18.1.txt
http://seclists.org/bugtraq/2015/Oct/101

that imply you can't test that exploit correctly for your lack of knowledge

 

[Bodiga]

That's something I already talked about

Once Again, that post is not demonstrating anything, It's just saying, Hey "Scurippio's exploit is working"
And this is not what we are talking about, We know it's working, We are talking about the "INFO" he provided

The Way the ImageFetcher works, the way the Rewrite module gets implemented to make the exploit work

None of the two is being mentioned in that post.

Edit: This conversation is getting too far, I won't respond to any further responses in this thread,
As I said in the earlier posts, I invite Scurippio to register on the forums and start a private conversation

-Derp

I have already send the email, but I don't want deceive him in any ways!

Read my post plz

btw. any publication on bugtraq and packetstorm are already verifyed

https://packetstormsecurity.com/files/134050/TS3Client-3.0-3.0.18.1.txt
http://seclists.org/bugtraq/2015/Oct/101

Obv, you can't test this exploit becouse your lack of knowledge.

 

[Bodiga]

That's something I already talked about

Once Again, that post is not demonstrating anything, It's just saying, Hey "Scurippio's exploit is working"
And this is not what we are talking about, We know it's working, We are talking about the "INFO" he provided

The Way the ImageFetcher works, the way the Rewrite module gets implemented to make the exploit work

None of the two is being mentioned in that post.

Edit: This conversation is getting too far, I won't respond to any further responses in this thread,
As I said in the earlier posts, I invite Scurippio to register on the forums and start a private conversation

-Derp

I have already send the email, but I don't want deceive him in any ways!

Read my post plz

btw. any publication on bugtraq and packetstorm are already verifyed

https://packetstormsecurity.com/files/134050/TS3Client-3.0-3.0.18.1.txt
http://seclists.org/bugtraq/2015/Oct/101

Obv, you can't test this exploit becouse your lack of knowledge, that confirm this is not your /your team exploit/research...

 

[Bodiga]

That's something I already talked about

Once Again, that post is not demonstrating anything, It's just saying, Hey "Scurippio's exploit is working"
And this is not what we are talking about, We know it's working, We are talking about the "INFO" he provided

The Way the ImageFetcher works, the way the Rewrite module gets implemented to make the exploit work

None of the two is being mentioned in that post.

Edit: This conversation is getting too far, I won't respond to any further responses in this thread,
As I said in the earlier posts, I invite Scurippio to register on the forums and start a private conversation

-Derp

I have already send the email, but I don't want deceive him in any ways!

Read my post plz

btw. any publication on bugtraq and packetstorm are already verifyed

https://packetstormsecurity.com/files/134050/TS3Client-3.0-3.0.18.1.txt
http://seclists.org/bugtraq/2015/Oct/101

Obv, you can't test this exploit becouse your lack of knowledge.

 

[Phyx]

And if I have a cracked IDA my skill change? seems legit...
btw I have paid for that
That demostrate alot about you and your team dude.

1. Your English language skills suck.
2. You think that posts from 2 days ago (Facepunch) demonstrate that a vulnerability was discovered a year ago which you claim was at some CCC ( https://www.ccc.de/en/ ) conference that is private (supposedly underground).
3. I am in full agreement with Derp. Replying to this guy is unnecessary and so far all that I see of this guy is that he is here to troll.

I will conclude this thread with the following statement. Replies may be read, but I will no longer listen to a fraud acting like they know the higher truth about something they have NO PROOF for.

Don't feed this guy, more likely than not he actually is Scur. In addition, the exploit documentation published was dated to October 12th, almost a month after we discovered the vulnerability. I will at this time kindly ask you to leave our forum. You demonstrate no leadership. I do not doubt your skill, but your reason for being on this forum is ridiculous and your intentions are most likely malicious. Providing exploit code for such a critical security vulnerability to the public --- spread out across malicious exploitation databases is very irresponsible. Here, we have only discussed the issue with the public in hopes of skillful individuals not misusing that information.

It is evident there are people with darker intentions out there. Some people want to hijack the vulnerability/exploit for "street cred" like a digital gangsta. Others infect people as part of malicious operations. Then there is us, just hobbyist researchers. We are simply enthusiasts that enjoy finding security holes for fun and we genuinely hope the security holes are patched before black hats much like Scur and yourself get their hands on it --- I can't help but to assume you are a black hat the way you are kneeling down at his feet defending him and his fraudulent security research/finding which he stole from us. We may not all know ASM. Some of us barely know C, there are even some of us that have not even actually began programming. Thankfully security is not a language, it is a concept --- a theory. There is no cut and dry "security", it is all just made up --- puzzles. For those of us in this community that truly care about finding problems and solutions in the security of software, this is what we live for. Why the fuck do you think this whole website exists? Thank you, idiot.

Just because you aren't proficient with a disassembler, memory editor, packet analysis software, whatever tool it may be does not mean you can not participate in security research. Sure each part of it helps, but every person in our team takes on their own task in finding security issues. If you can type on a keyboard, you can begin software testing for crying out loud. Please do not sit here and act like you can discredit our entire community because you feel like some masterful e-God, get lost pal.

What is security anyways? "the state of being free from danger or threat." --- that is a concept, not a language, it is not crafted packets, it is not disassembled software, it is not frozen memory values, it is not arbitrary code executed on a machine, it is not a forced 200 HTTP response, it is an idea. The idea of being free from threat is conceptual, philosophical and it can not be scientific nor artistic entirely, because it is a mixture between science and art, very much in the realm of philosophy. You can know a little about a lot or a lot about a little, generally speaking. People that delve into topics and really exhaust their understanding, enough for it to be applicable to the real world are the type of people to find security issues. Here, that is what we want and that is what we aim to teach. For example, there are social engineers, reverse engineers, website developers, web application security, network security, physical security, digital forensics, etc. There is not just a single field in "hacking" or security research, so for you to come into this community and play hard is definitely frowned upon. I like to apply military/police strategy to what we do for example: http://www.ncjp.org/index.php?q=strategic-planning/justice-applications/sara-problem-solving-model

I like to apply the Scanning, Analysis, Response, and Evaluation (SARA) Model to most of the research I start for example and while planning out my activities. There is also "Begin planning, Arrange for reconnaissance, Make reconnaissance, Complete the plan, Issue the order, and Supervise and is known as the 6 troop leading steps." in leading military operations, I find this works well for security research teams. CEH has something similar like: RECON, SCAN, GAIN ACCESS, MAINTAIN ACCESS, COVER TRACKS --- for CEH being so set on teaching ethics, that model seems rather black hat to me, somewhat ironic. I always found CEH controversial and sometimes hypocritical, oftentimes while reading through the CEH books, I feel more like I am being trained as a black hat. I guess it all comes down to personal choice, what you do with the information --- not so much how it is taught, hmm? I think teaching the ethics first is a good approach though, ethics should always come first. Acting responsibly is not enough, you must be responsible and practice it in everything.

When working with corporate entities it is also VERY IMPORTANT to get on their level, read into business security and not just focus on the "hacking" side of things, but business relationships too. For example, recently I have read and I recommend reading this: http://www.isaca.org/Knowledge-Cent...-Business-Model-for-Information-Security.aspx --- it is free, it just costs a little bit of your time.

We live in a knowledge/intelligence driven world. The battle is between the intelligent and the typical everyday human. Most people simply do not care as much about security as we all probably do. Most people do not even think about security at all aside from:

• My house door is secure.
• I am taking my purse/wallet inside the restroom with me.
• Leaving my laptop in my car is a bad idea.

Black hat hackers think they are intelligent, but if they spent any amount of time looking into very important theories/research --- they would know their negative contribution to society is not right and could eventually end up with them caught suffering consequences. Imagine if everyone was a black hat.. what if everyone stole everyone's money? The world would be chaotic, it simply would not function properly. That is why governments even exist, humans have evolved systems that allow us to live safely, oftentimes happily and hopefully somewhat fairly. In dealing with the digital world, some people seem to feel an unreasonable sense of freedom and they demonstrate an irresponsible behavior with the power of intelligence, oftentimes. For example, if you found someone's door open would you just walk into their house and steal all of the belongings (including money)? I hope not. If you got their bank account password, would you transfer all of their money to an account you control? See how the two are so similar, but one could mislead you into fraud/theft? This comes down to improper ethics being taught, humans with malformed morals and greed. This is where the main three hat colors come in. White hats choose to do the right thing all the time, gray hats choose to sometimes do the right thing although would not act with criminal intent to maliciously destroy/fraud, black hats are to be viewed as a threat to the general public. This is the world we live in online.

Now you can sit here and keep pretending you know this Scur guy from a year ago that you met at some CCC conference which has no online presence/documentation or just leave, because we honestly do not care to hear your lies. By the way, I am getting paid to type this --- lol. I am so tired, because I work 3rd shift and I am basically an in-seat on-call guard. There is literally nothing else I can do right now, I have already swept the floor and wiped down the counters. There is bound to be some typos here and there in my long babbling post. The most important thing to take away from this is that our team has energy, we have a passion that burns in our hearts for security and we are strong together --- teamwork has so much to offer. We are a team primarily dedicated to TeamSpeak and you expect us to believe that some clown just coincidentally found a security issue we announced days before he had any online material mentioning the TS3 security problem? If you can't understand why we don't believe you, I feel sorry for you. I would like to point out that Scur's actions violate the CCC ethics shown here: http://ccc.de/de/hackerethik and CCC itself does not enforce HTTPS which is extremely ironic/hypocritical for a security/hacker computer website. *shakes head*

If the CCC conference you are mentioning even did take place and Scur demonstrated the exploit, which I highly doubt --- he would be in violation of any proper hacker's ethics. The appropriate thing for Scur to have done is attempt contact with TeamSpeak developers for the issue to be patched in order to ensure security of all users. Since he demonstrated it at a "hacker" conference a year ago, IF HE DID --- which I do not believe you.. that would be irresponsible, my thoughts.

Good luck convincing anyone to believe you that an apparently malicious hacker discussed the issue at a private hacker conference a year ago without the exploit becoming wild. That sounds like a big lie, especially with his release being just days after our announcement.

 

[Bodiga]

...Bullshit from a Lamer...

Stop claiming a vulnerability you cannot demonstrate, test or justify! becouse your are too noob for that ahhahaha
you are just a group of lamers and now you raging like a kid like you are!

Welcome to the real world asssholes!

 

[Phyx]

Right, here is the door 0x41. You can also try checking our forum version here.

 

[Bodiga]

Now you can sit here and keep pretending you know this Scur guy from a year ago that you met at some CCC conference which has no online presence/documentation or just leave, because we honestly do not care to hear your lies.

HAHAHAHAHA!
you never go to ccc right?! loool so funny hear that bullshit!

noone say he publish at ccc... stupid cunt..

and if you check the date is only for the public version, retarded!

 

[Phyx]

I know CCC is a wanna-be DEFCON originating in Europe. I do not care about CCC, at all. There are surely hundreds of security conferences around, the only one I follow is DEFCON because it is the best. You should probably leave, no one would care if you did.

 

[Bodiga]

and can you explain me, how this vulnerability are stolen?
becouse noone in the other thread can confirm/test the exploit so.. this lack of knowledge demostrate that site is full of incompetent and liar like you

 

[Phyx]

We found this vulnerability in the earlier half of September (over a month ago). That is all that you need to know and you have shown nothing demonstrating otherwise. We even published a video on the 7th of October demonstrating how the vulnerability works, the result of it --- a batch file in startup. That S..kid guy supposedly found the vulnerability 5 days later according to the exploit publishing. I do not care what you think, you can suck my dick --- thanks and bye.

password: r4p3.net_h5du80vf

Check the date (October 7th, 2015) --- this video was made 5 days before S...kid even figured anything out. Thanks to @Supervisor for documenting this in a video.

 

[Bodiga]

ahahahahah DUDE! this is the avatar exploit!
have you read the adv??
The scurippio's exploit is on the channel description, and that vulns is patched on 3.0.18.1! the scurippio's vulnerability was patched in that fix 3.0.18.2 learn 2 read plz!

IS ONLY THE SAME CLASS OF VULNERABILITY

 

[Phyx]

ahahahahah DUDE! this is the avatar exploit!
have you read the adv??
The scurippio's exploit is on the channel description, and that vulns is patched on 3.0.18.1! the scurippio's vulnerability was patched in that fix 3.0.18.2 learn 2 read plz!

Scurippio, enough trolling. You have been called out, leave. You are only entertaining us with your horrible lies.

 

[Bodiga]

Think what you want, i really don't care

CHANNEL DESCRIPTION != USER'S AVATAR

USER'S AVATAR = patched on 3.0.18.1
CHANNEL DESCRIPTION (pwnSpeak scurippio's exploit) = patched on 3.0.18.2

Stop spread false information noob lamer.

 

[Phyx]

That was not even an avatar exploit, it was the RFI vulnerability we found. It was exploited using the Server Banner Gfx URL.
kids..

Furthermore we found the avatar exploit too. A major thanks goes to @Supervisor for looking into QT BMP rendering issues I mentioned to him and I would especially have to thank @ehthe for his determination and commitment to figuring out how it could work and ultimately making the first version (Linux). I would say that the avatar exploit is mostly the doing of @ehthe although we all played some part in the finding of that --- that was a crazy security issue.

 

[Bodiga]

But is FIXED on 3.0.18.1!!!!!!!!!! (10 / oct / 2015)

that is another exploit with the same class of vulnerability, and you wanna claim the next rfi in teamspeak now?

HAHAAHHAAHH so fuckin funny talk with lamers like you and your friends.

Your shitty video work for <= 3.0.18

HOTFIX released by teamspeak 3.0.18.1

PwnSpeak is for <= 3.0.18.1

CAN YOU UNDERSTAND THIS?

 

[Phyx]

Look, Scurippio --- I know you think that just because you found a workaround/bypass to the TeamSpeak hotfix, you think you are amazing. You definitely are not though. What you probably did is look at the way image files are downloaded in IDA and seen their hotfix applied, then started messing around with what we already found but you just URL encoded. Congratulations to you Scurippio, you know how to use a URL encoder.

The vulnerability and exploit is ours, leave.

 

[Bodiga]

LOOOL And now you change the point?

btw I'm not scurippio so sorry dude

And you think when you discover a vulnerability you are the only one in the world have that?!?!?!

YOU ARE REALLY A KID DUDE! WELCOME TO THE REAL WORLD!

hahaahah apparently the r4p3 team are not able to use an urlencoder

 

[Phyx]

But is FIXED on 3.0.18.1!!!!!!!!!! (10 / oct / 2015)

that is another exploit with the same class of vulnerability, and you wanna claim the next rfi in teamspeak now?

HAHAAHHAAHH so fuckin funny talk with lamers like you and your friends.

Your shitty video work for <= 3.0.18

HOTFIX released by teamspeak 3.0.18.1

PwnSpeak is for <= 3.0.18.1

CAN YOU UNDERSTAND THIS?

While you probably screwed around in IDA pro for about 2 days to figure out the hotfix bypass, it took us 10 minutes to figure out that changing some slashes and adding a null character (%00) in the URL worked just fine.

Ex:
.bat%00.jpg
..\/..\/..\/

Sure, you got it working with URL encoding although why do you think the hotfix was even applied? Because of the research R4P3 did to find the issue. You are not cool at all, so quit acting like a bad ass because you can URL encode.

 

[Bodiga]

but the urlencoding is applied on the path not in the extension.... you really don't understand nothing...

@Derp

hem!! now you belive me? that exploit work! and is not yours ,you and your friends are not able to test/reproduce!