TeamSpeak 3.5.6 Insecure File Permissions

TeamSpeak version 3.5.6 suffers from an insecure file permissions vulnerability.


MD5 | c6e27c00bfb04a0b95b4691372c0d351

# Exploit Title: TeamSpeak 3.5.6 - Insecure File Permissions
# Date: 2022-02-15
# Exploit Author: Aryan Chehreghani
# Contact: [email protected]
# Vendor Homepage: https://www.teamspeak.com
# Software Link: https://www.teamspeak.com/en/downloads
# Version: 3.5.6
# Tested on: Windows 10 x64

# [ About - TeamSpeak ]:
#TeamSpeak (TS) is a proprietary voice-over-Internet Protocol (VoIP),
#application for audio communication between users on a chat channel,
#much like a telephone conference call, Users typically use headphones with a microphone,
#The client software connects to a TeamSpeak server of the user's choice from which the user may join chat channels,
#The target audience for TeamSpeak is gamers, who can use the software to communicate,
#with other players on the same team of a multiplayer video game,
#Communicating by voice gives a competitive advantage by enabling players to keep their hands on the controls.

# [ Description ]:
#The TeamSpeak Application was installed with insecure file permissions.
#It was found that all folder and file permissions were incorrectly configured during installation.
#It was possible to replace the service binary.

# [ POC ]:

C:\Users\user\AppData\Local\TeamSpeak 3 Client>icacls *.exe

createfileassoc.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
WIN-FREMP1UB3LB\Administrator:(F)

error_report.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
WIN-FREMP1UB3LB\Administrator:(F)

package_inst.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
WIN-FREMP1UB3LB\Administrator:(F)

QtWebEngineProcess.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
WIN-FREMP1UB3LB\Administrator:(F)

ts3client_win32.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
WIN-FREMP1UB3LB\Administrator:(F)

Uninstall.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
WIN-FREMP1UB3LB\Administrator:(F)

update.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
WIN-FREMP1UB3LB\Administrator:(F)

Successfully processed 7 files; Failed processing 0 files

# [ Exploit - Privilege Escalation ]:
#Replace ts3client_win32.exe,update.exe,package_inst.exe,QtWebEngineProcess.exe,createfileassoc.exe and other ...
#with any executable malicious file you want then wait and get SYSTEM or Administrator rights (Privilege Escalation)


Related Posts