Author Topic: TeamSpeak RC2 (Read 5243 times)

Sidoh · « **on:** December 14, 2005, 08:31:03 pm »

I was poking around with this earlier today and found something out that I didn't like much. It's not too big of a deal, since the TeamSpeak binaries are almost without exception installed under a safe, unreachable (by the world, I mean) directory, but it's still something that shouldn't be true.

Anyway, on the teamspeak server, passwords are stored in plaintext. I think that's really stupid. Here's some stuff:

Me creating a user:

Success:

Seeing if the user's in the database:

Search for the user:

User/password found:

The password (text):

00006b80  08 08 0a 0c  16 23 35 35  31 00 30 00 <74>65 73 74  .....#551.0.test
00006b90  5f 75 73 65  72 00 74 65  73 74 70 61  73 73 77 6f  _user.testpasswo
00006ba0  72 64 00 31  34 31 32 32  30 30 35 31  38 32 38 30  rd.1412200518280
00006bb0  36 39 33 39  00 07 03 40  48 00 00 00  00 00 00 00  6939...@H.......

You can log in to www.sidoh.org:8777 and see for yourself if you feel like it.

deadly7 · « **Reply #1 on:** December 14, 2005, 08:32:25 pm »

God you are such a nerd.

Sidoh · « **Reply #2 on:** December 14, 2005, 08:35:36 pm »

Quote from: deadly7 on December 14, 2005, 08:32:25 pm

God you are such a nerd.

That's a given:

Quote

Sidoh
[Sidoh]
Nerd
x86
Hero Member

But that's not the point. The point is the developers of TeamSpeak made it sloppy!

iago · « **Reply #3 on:** December 14, 2005, 08:37:05 pm »

Yeah, for this type of software there is no reason to keep passwords in plaintext.

And why did they say PassWord? That looks so silly!

Sidoh · « **Reply #4 on:** December 14, 2005, 08:37:55 pm »

Quote from: iago on December 14, 2005, 08:37:05 pm

Yeah, for this type of software there is no reason to keep passwords in plaintext.

And why did they say PassWord? That looks so silly!

No joke! Damn TSRC2. I wonder if Ventrilo's like this...

Haha, I noticed that too! I thought it looked funny as well.

Newby · « **Reply #5 on:** December 14, 2005, 10:00:54 pm »

I think they tell you that the passwords are stored in plaintext. Just chmod 400 server.dbs and you have no issues.

Sidoh · « **Reply #6 on:** December 14, 2005, 10:08:30 pm »

Quote from: Newby on December 14, 2005, 10:00:54 pm

I think they tell you that the passwords are stored in plaintext. Just chmod 400 server.dbs and you have no issues.

Still, what's the point of not hashing them?

Newby · « **Reply #7 on:** December 14, 2005, 10:36:19 pm »

Quote from: Sidoh on December 14, 2005, 10:08:30 pm

Quote from: Newby on December 14, 2005, 10:00:54 pm
I think they tell you that the passwords are stored in plaintext. Just chmod 400 server.dbs and you have no issues.

Still, what's the point of not hashing them?

It's useless. If someone gets admin on your server, discontinue their access to the file an d change the password. It's a goddamn VoIP server.

Sidoh · « **Reply #8 on:** December 14, 2005, 10:53:50 pm »

Quote from: Newby on December 14, 2005, 10:36:19 pm

It's useless. If someone gets admin on your server, discontinue their access to the file an d change the password. It's a goddamn VoIP server.

Actually, the risk I was more worried about was if someone who had SSH access to the server seceratively opened the database file in vim and found passwords. If people don't know someone has their password, they can get screwed over (IE -- deleting accounts, etc).

It's still completely unjustifiable to not hash them.

By the way, 400 broke the server. I could connet, but no one else could. I changed it to 555; I'm not sure if that's the most appropriate access or not, though.

Edit --

"Hmm" on the 400 breaking the server issue. I don't think that makes much sense. Maybe it's my friend's connection, which could definitely be the case, seeing as he's on satelite internet...

Newby · « **Reply #9 on:** December 14, 2005, 11:16:30 pm »

Hmm... doesn't make sense.... at all. :|

Sidoh · « **Reply #10 on:** December 14, 2005, 11:23:01 pm »

Quote from: Newby on December 14, 2005, 11:16:30 pm

Hmm... doesn't make sense.... at all. :|

Haha, yeah. It's my friend's connection. His internet BLOWS monkey balls.

iago · « **Reply #11 on:** December 14, 2005, 11:35:06 pm »

555 lets anybody read it, which is bad++. :-/

When passwords need to be stored to be used later, like Gaim, it's understandable to not hash them. There are plenty of reasons, which I don't feel like enumerating. But on the server side, the passwords should never even be KNOWN in plaintext. The password should be hashed before even SENDING it to the server, and also stored in plaintext.

Sidoh · « **Reply #12 on:** December 14, 2005, 11:40:01 pm »

Quote from: iago on December 14, 2005, 11:35:06 pm

555 lets anybody read it, which is bad++. :-/

When passwords need to be stored to be used later, like Gaim, it's understandable to not hash them. There are plenty of reasons, which I don't feel like enumerating. But on the server side, the passwords should never even be KNOWN in plaintext. The password should be hashed before even SENDING it to the server, and also stored in plaintext.

My thoughts exactly.

Screenor · « **Reply #13 on:** December 19, 2005, 12:01:51 pm »

Quote from: Sidoh on December 14, 2005, 08:37:55 pm

Quote from: iago on December 14, 2005, 08:37:05 pm
Yeah, for this type of software there is no reason to keep passwords in plaintext.

And why did they say PassWord? That looks so silly!

No joke! Damn TSRC2. I wonder if Ventrilo's like this...

Haha, I noticed that too! I thought it looked funny as well.

Ventrilo's nothing like that, and with Ventrilo, I haven't found out how to write scripts for it as I have TS.

Clan x86

News:

Author Topic: TeamSpeak RC2 (Read 5243 times)

Sidoh

TeamSpeak RC2

deadly7

Re: TeamSpeak RC2

Sidoh

Re: TeamSpeak RC2

iago

Re: TeamSpeak RC2

Sidoh

Re: TeamSpeak RC2

Newby

Re: TeamSpeak RC2

Sidoh

Re: TeamSpeak RC2

Newby

Re: TeamSpeak RC2

Sidoh

Re: TeamSpeak RC2

Newby

Re: TeamSpeak RC2

Sidoh

Re: TeamSpeak RC2

iago

Re: TeamSpeak RC2

Sidoh

Re: TeamSpeak RC2

Screenor

Re: TeamSpeak RC2