[<prev] [next>] [day] [month] [year] [list]
Message-ID: <AANLkTi==VwRWF0zKVxtbkkUuBuy1oaWOk6dz==y7P7=9@mail.gmail.com>
Date: Thu, 28 Oct 2010 09:20:14 +0300
From: Henri Lindberg <henri+fulldisclosure@...nse.fi>
To: full-disclosure@...ts.grok.org.uk
Subject: nSense-2010-002: Teamspeak 2 Windows client
nSense Vulnerability Research Security Advisory NSENSE-2010-002
---------------------------------------------------------------
t2'10 infosec conference special release
http://www.t2.fi
---------------------------------------------------------------
Affected Vendor: Teamspeak Systems GmbH
Affected Product: Teamspeak 2 version 2.0.32.60
Platform: Windows
Impact: Remote code execution
Vendor response: No patch. Upgrade to TS3
Credit: Jokaim / nSense
Technical details
---------------------------------------------------------------
The specific flaw exists within the TeamSpeak.exe module
teardown procedure responsible for freeing dynamically
allocated application handles.
It is possible to corrupt this memory area by transmitting a
voice transmission packet (0xf2) to the server. All clients
receiving the voice transmission will have their memory
corrupted. The resulting memory corruption leads to a overflow
of values which are later used in a copy operation
(during teardown).
This can be leveraged to achieve remote code execution
within the context of the user running the application.
The following packet is provided as a Proof-of-Concept example:
f2be000426ad7e00300000000001000a414141414141414141424141414141
4141414141414141414141414141414141414100ff99414141424242424141
414141414141414141
Bytes 51 and onwards contain user controllable values for EAX
and EDX. A weaponized exploit has been developed but will not
be released to the public. See memory location 00401C72.
Timeline:
Jul 20th Contacted CERT-FI vulncoord
Jul 22nd CERT-FI vulcoord responds,coordination started
Aug 9th Status update request sent to CERT-FI
Aug 20th CERT-FI informs that the vendor had suggested
posting the issue to their plic support
forum. Coordination continued.
Aug 26th Status update request sent to CERT-FI
Aug 26th CERT-FI responds
Sep 23rd Weaponized exploit ready and polished.
Information sent to CERT-FI
Sep 28th CERT-FI informs that vendor is not supporting
TS2, since 's a legacy version. Users are
instructed to upgrade to TS3.
Oct 28th Advisory published.
A thank you to CERT-FI vulncoord for the coordination effort.
http://www.nsense.fi http://www.nsense.dk
$$s$$$$s. ,s$$$$s ,S$$$$$s. $$s$$$$s. ,s$$$$s ,S$$$$$s.
$$$ `$$$ ($$( $$$ `$$$ $$$ `$$$ ($$( $$$ `$$$
$$$ $$$ `^$$s. $$$$$$$$$ $$$ $$$ `^$$s. $$$$$$$$$
$$$ $$$ )$$) $$$ $$$ $$$ )$$) $$$
$$$ $$$ ^$$$$$$7 `7$$$$$P $$$ $$$ ^$$$$$$7 `7$$$$$P
D r i v e n b y t h e c h a l l e n g e _
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists