受影响系统:
TeamSpeak Systems GmbH TeamSpeak Server <= 3.0.0-beta23
描述:
BUGTRAQ  ID: 40918

TeamSpeak是一种专门为网络游戏玩家设计的IP语音通信系统。

TeamSpeak服务器在执行通过UDP 9987端口所接收到的受限制命令时没有要求认证,用户可以非授权执行各种管理命令。以下是部分有漏洞命令的列表:

  banclient
  bandel
  channeladdperm/channeldelperm
  channelclientaddperm/channelclientdelperm
  channeldelete
  channeledit
  channelmove
  clientaddperm/clientdelperm
  clientdbdelete
  clientget*
  clientkick
  clientmove
  clientpoke
  messageadd
  sendtextmessage
  serveredit
  servergroupadd
  setclientchannelgroup
  tokenadd/tokendel

此外通过UDP 9987端口发送以下命令还可以触发Assertion错误:

  banlist                     Assertion "invokerClientID != 0" failed at server\serverlib\virtualserver.cpp:7442;
  complainlist                Assertion "client != 0" failed at server\serverlib\permission_manager.cpp:167;
  servernotifyunregister      not implemented
  serverrequestconnectioninfo Assertion "client != 0" failed at server\serverlib\permission_manager.cpp:167;
  setconnectioninfo           Assertion "clID != 0" failed at common\packethandler.cpp:367;
  servernotifyregister event=server   not implemented

发送以下命令可触发空指针引用:

  bandelall
  channelcreate channel_name=name
  channelsubscribe cid=1
  channelsubscribeall
  banadd ip=1.2.3.4
  clientedit clid=1 client_description=none
  messageupdateflag msgid=1 flag=1
  complainadd tcldbid=1 message=none
  complaindelall tcldbid=1
  ftinitupload clientftfid=1 name=file.txt cid=5 cpw= size=9999 overwrite=1 resume=0
  ftgetfilelist cid=1 cpw= path=\/
  ftdeletefile cid=1 cpw= name=\/
  ftcreatedir cid=1 cpw= dirname=\/
  ftrenamefile cid=1 cpw= tcid=1 tcpw=secret oldname=\/ newname=\/
  ftinitdownload clientftfid=1 name=\/ cid=1 cpw= seekpos=0

这都会导致服务器终止或崩溃。

<*来源:Luigi Auriemma (aluigi@pivx.com
  
  链接:http://secunia.com/advisories/40230/
        http://aluigi.altervista.org/adv/teamspeakrack-adv.txt
*>

测试方法:
警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
http://aluigi.altervista.org/poc/teamspeakrack.zip