Author Topic: TeamSpeak RC2  (Read 5241 times)

0 Members and 1 Guest are viewing this topic.

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
TeamSpeak RC2
« on: December 14, 2005, 08:31:03 pm »
I was poking around with this earlier today and found something out that I didn't like much.  It's not too big of a deal, since the TeamSpeak binaries are almost without exception installed under a safe, unreachable (by the world, I mean) directory, but it's still something that shouldn't be true.

Anyway, on the teamspeak server, passwords are stored in plaintext.  I think that's really stupid.  Here's some stuff:

Me creating a user:



Success:



Seeing if the user's in the database:



Search for the user:



User/password found:



The password (text):

00006b80  08 08 0a 0c  16 23 35 35  31 00 30 00 <74>65 73 74  .....#551.0.test
00006b90  5f 75 73 65  72 00 74 65  73 74 70 61  73 73 77 6f  _user.testpasswo
00006ba0  72 64 00 31  34 31 32 32  30 30 35 31  38 32 38 30  rd.1412200518280
00006bb0  36 39 33 39  00 07 03 40  48 00 00 00  00 00 00 00  6939...@H.......


You can log in to www.sidoh.org:8777 and see for yourself if you feel like it. :)
« Last Edit: December 14, 2005, 08:34:31 pm by Sidoh »

Offline deadly7

  • 42
  • x86
  • Hero Member
  • *****
  • Posts: 6496
    • View Profile
Re: TeamSpeak RC2
« Reply #1 on: December 14, 2005, 08:32:25 pm »
God you are such a nerd. :P
[17:42:21.609] <Ergot> Kutsuju you're girlfrieds pussy must be a 403 error for you
 [17:42:25.585] <Ergot> FORBIDDEN

on IRC playing T&T++
<iago> He is unarmed
<Hitmen> he has no arms?!

on AIM with a drunk mythix:
(00:50:05) Mythix: Deadly
(00:50:11) Mythix: I'm going to fuck that red dot out of your head.
(00:50:15) Mythix: with my nine

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: TeamSpeak RC2
« Reply #2 on: December 14, 2005, 08:35:36 pm »
God you are such a nerd. :P

That's a given:

Quote
Sidoh
[Sidoh]
Nerd
x86
Hero Member

But that's not the point.  The point is the developers of TeamSpeak made it sloppy! :)

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: TeamSpeak RC2
« Reply #3 on: December 14, 2005, 08:37:05 pm »
Yeah, for this type of software there is no reason to keep passwords in plaintext. 

And why did they say PassWord?  That looks so silly!

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: TeamSpeak RC2
« Reply #4 on: December 14, 2005, 08:37:55 pm »
Yeah, for this type of software there is no reason to keep passwords in plaintext. 

And why did they say PassWord?  That looks so silly!

No joke!  Damn TSRC2.  I wonder if Ventrilo's like this...

Haha, I noticed that too!  I thought it looked funny as well. :)

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: TeamSpeak RC2
« Reply #5 on: December 14, 2005, 10:00:54 pm »
I think they tell you that the passwords are stored in plaintext. Just chmod 400 server.dbs and you have no issues. :)
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: TeamSpeak RC2
« Reply #6 on: December 14, 2005, 10:08:30 pm »
I think they tell you that the passwords are stored in plaintext. Just chmod 400 server.dbs and you have no issues. :)

Still, what's the point of not hashing them?

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: TeamSpeak RC2
« Reply #7 on: December 14, 2005, 10:36:19 pm »
I think they tell you that the passwords are stored in plaintext. Just chmod 400 server.dbs and you have no issues. :)

Still, what's the point of not hashing them?

It's useless. If someone gets admin on your server, discontinue their access to the file an d change the password. It's a goddamn VoIP server. :P
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: TeamSpeak RC2
« Reply #8 on: December 14, 2005, 10:53:50 pm »
It's useless. If someone gets admin on your server, discontinue their access to the file an d change the password. It's a goddamn VoIP server. :P

Actually, the risk I was more worried about was if someone who had SSH access to the server seceratively opened the database file in vim and found passwords.  If people don't know someone has their password, they can get screwed over (IE -- deleting accounts, etc).

It's still completely unjustifiable to not hash them.

By the way, 400 broke the server.  I could connet, but no one else could.  I changed it to 555; I'm not sure if that's the most appropriate access or not, though. :)

Edit --

"Hmm" on the 400 breaking the server issue.  I don't think that makes much sense.  Maybe it's my friend's connection, which could definitely be the case, seeing as he's on satelite internet... :)
« Last Edit: December 14, 2005, 11:07:19 pm by Sidoh »

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: TeamSpeak RC2
« Reply #9 on: December 14, 2005, 11:16:30 pm »
Hmm... doesn't make sense.... at all. :|
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: TeamSpeak RC2
« Reply #10 on: December 14, 2005, 11:23:01 pm »
Hmm... doesn't make sense.... at all. :|

Haha, yeah.  It's my friend's connection.  His internet BLOWS monkey balls.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: TeamSpeak RC2
« Reply #11 on: December 14, 2005, 11:35:06 pm »
555 lets anybody read it, which is bad++.  :-/

When passwords need to be stored to be used later, like Gaim, it's understandable to not hash them.  There are plenty of reasons, which I don't feel like enumerating.  But on the server side, the passwords should never even be KNOWN in plaintext.  The password should be hashed before even SENDING it to the server, and also stored in plaintext. 


Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: TeamSpeak RC2
« Reply #12 on: December 14, 2005, 11:40:01 pm »
555 lets anybody read it, which is bad++.  :-/

When passwords need to be stored to be used later, like Gaim, it's understandable to not hash them.  There are plenty of reasons, which I don't feel like enumerating.  But on the server side, the passwords should never even be KNOWN in plaintext.  The password should be hashed before even SENDING it to the server, and also stored in plaintext.

My thoughts exactly. :)

Offline Screenor

  • Hero Member
  • *****
  • Posts: 1611
  • My own little world.
    • View Profile
Re: TeamSpeak RC2
« Reply #13 on: December 19, 2005, 12:01:51 pm »
Yeah, for this type of software there is no reason to keep passwords in plaintext. 

And why did they say PassWord?  That looks so silly!

No joke!  Damn TSRC2.  I wonder if Ventrilo's like this...

Haha, I noticed that too!  I thought it looked funny as well. :)
Ventrilo's nothing like that, and with Ventrilo, I haven't found out how to write scripts for it as I have TS.