nSense-2010-002: Teamspeak 2 Windows client Oct 28 2010 06:36AM
Henri Lindberg henri+lists (at) nsense (dot) fi [email concealed] (henri+lists nsense fi)
nSense Vulnerability Research Security Advisory NSENSE-2010-002
t2'10 infosec conference special release

Affected Vendor: Teamspeak Systems GmbH
Affected Product: Teamspeak 2 version
Platform: Windows
Impact: Remote code execution
Vendor response: No patch. Upgrade to TS3
Credit: Jokaim / nSense

Technical details

The specific flaw exists within the TeamSpeak.exe module
teardown procedure responsible for freeing dynamically
allocated application handles.

It is possible to corrupt this memory area by transmitting a
voice transmission packet (0xf2) to the server. All clients
receiving the voice transmission will have their memory
corrupted. The resulting memory corruption leads to a overflow
of values which are later used in a copy operation
(during teardown).

This can be leveraged to achieve remote code execution
within the context of the user running the application.

The following packet is provided as a Proof-of-Concept example:

Bytes 51 and onwards contain user controllable values for EAX
and EDX. A weaponized exploit has been developed but will not
be released to the public. See memory location 00401C72.

Jul 20th Contacted CERT-FI vulncoord
Jul 22nd CERT-FI vulcoord responds,coordination started
Aug 9th Status update request sent to CERT-FI
Aug 20th CERT-FI informs that the vendor had suggested
posting the issue to their plic support
forum. Coordination continued.
Aug 26th Status update request sent to CERT-FI
Aug 26th CERT-FI responds
Sep 23rd Weaponized exploit ready and polished.
Information sent to CERT-FI
Sep 28th CERT-FI informs that vendor is not supporting
TS2, since 's a legacy version. Users are
instructed to upgrade to TS3.
Oct 28th Advisory published.

A thank you to CERT-FI vulncoord for the coordination effort.

http://www.nsense.fi http://www.nsense.dk

$$s$$$$s. ,s$$$$s ,S$$$$$s. $$s$$$$s. ,s$$$$s ,S$$$$$s.
$$$ `$$$ ($$( $$$ `$$$ $$$ `$$$ ($$( $$$ `$$$
$$$ $$$ `^$$s. $$$$$$$$$ $$$ $$$ `^$$s. $$$$$$$$$
$$$ $$$ )$$) $$$ $$$ $$$ )$$) $$$
$$$ $$$ ^$$$$$$7 `7$$$$$P $$$ $$$ ^$$$$$$7 `7$$$$$P

D r i v e n b y t h e c h a l l e n g e _

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus