lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <AANLkTi==VwRWF0zKVxtbkkUuBuy1oaWOk6dz==y7P7=9@mail.gmail.com>
Date: Thu, 28 Oct 2010 09:20:14 +0300
From: Henri Lindberg <henri+fulldisclosure@...nse.fi>
To: full-disclosure@...ts.grok.org.uk
Subject: nSense-2010-002: Teamspeak 2 Windows client

       nSense Vulnerability Research Security Advisory NSENSE-2010-002
       ---------------------------------------------------------------
                   t2'10 infosec conference special release
                               http://www.t2.fi
       ---------------------------------------------------------------

       Affected Vendor:    Teamspeak Systems GmbH
       Affected Product:   Teamspeak 2 version 2.0.32.60
       Platform:           Windows
       Impact:             Remote code execution
       Vendor response:    No patch. Upgrade to TS3
       Credit:             Jokaim / nSense

       Technical details
       ---------------------------------------------------------------

       The specific flaw exists within the TeamSpeak.exe module
       teardown procedure responsible for freeing dynamically
       allocated application handles.

       It is possible to corrupt this memory area by transmitting a
       voice transmission packet (0xf2) to the server. All clients
       receiving the voice transmission will have their memory
       corrupted. The resulting memory corruption leads to a overflow
       of values which are later used in a copy operation
       (during teardown).

       This can be leveraged to achieve remote code execution
       within the context of the user running the application.

       The following packet is provided as a Proof-of-Concept example:
       f2be000426ad7e00300000000001000a414141414141414141424141414141
       4141414141414141414141414141414141414100ff99414141424242424141
       414141414141414141

       Bytes 51 and onwards contain user controllable values for EAX
       and EDX. A weaponized exploit has been developed but will not
       be released to the public. See memory location 00401C72.

       Timeline:
       Jul 20th        Contacted CERT-FI vulncoord
       Jul 22nd        CERT-FI vulcoord responds,coordination started
       Aug 9th         Status update request sent to CERT-FI
       Aug 20th        CERT-FI informs that the vendor had suggested
                       posting the issue to their plic support
                       forum. Coordination continued.
       Aug 26th        Status update request sent to CERT-FI
       Aug 26th        CERT-FI responds
       Sep 23rd        Weaponized exploit ready and polished.
                       Information sent to CERT-FI
       Sep 28th        CERT-FI informs that vendor is not supporting
                       TS2, since 's a legacy version. Users are
                       instructed to upgrade to TS3.
       Oct 28th        Advisory published.

       A thank you to CERT-FI vulncoord for the coordination effort.


       http://www.nsense.fi                       http://www.nsense.dk



       $$s$$$$s.   ,s$$$$s   ,S$$$$$s.  $$s$$$$s.   ,s$$$$s   ,S$$$$$s.
       $$$  `$$$  ($$(       $$$  `$$$  $$$  `$$$  ($$(       $$$  `$$$
       $$$   $$$    `^$$s.   $$$$$$$$$  $$$   $$$    `^$$s.   $$$$$$$$$
       $$$   $$$       )$$)  $$$        $$$   $$$       )$$)  $$$
       $$$   $$$  ^$$$$$$7    `7$$$$$P  $$$   $$$  ^$$$$$$7   `7$$$$$P

                      D r i v e n   b y   t h e   c h a l l e n g e _

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ