Hack of my TS3 server

[poisonpanik]

When someone creates a channel by default they become CA. Does your CA channel group allow the creation of semi-permanent channels?

[Alcazar]

Even CA are allowed to do this, by default Guests have "b_channel_modify_make_semi_permanent" set to false and SKIP, so they cant change it.
Maybe the permissions have been tweaked.

[gevatter]

sometimes somethink is easyer than believe....

yes...that was my mistake....

[SODarkRaven]

In reply Poison I didnt change a think in user permissions. I didnt change any user permissions and yes the default install of TS3 allows guest users to kick, ban, edit the server, server query, and server query login to name a few. I know because before i gave admin rights back to my member he only had guest permissions and was able to access everything. From my logs the hackers joined and then issued a server query login, created admin accounts, edited the server and injected code, then deleted all other accounts. So once i found out from my member that guests were able to access most things i manually changed the permissions for guests to only allow channel join and to text to server.

Also Dante696 i dont know who you are or if someone impersonated you or is someone different or was you idk and i dont care. That IP and name are banned from our TS3.

And for god sake why did you merge topics now people are talking about 2 seperate issues and its even more confusing to sort out. My post was to inform about two german hackers regardless of the names the ips are listed so others can add them to their ban list so you too dont get exploited and hacked.

[poisonpanik]

@SODarkRaven
Attached are the default guest permissions on a new server.

There is no way that someone who joined as a guest on a default GUEST server group could have executed a server query w/ out knowledge of your serveradmin password. Only way this would be possible is if you modified your guest server group.

Post an excerpt the log that contains the details of this event as well as your guest server group permissions.

[R3M__]

Just have to say this, the new permission system is a security risk itself, its bloated and confusing. The permission cvars are horrible for daily use, nobody can memorize all of them. Maybe its easy for the developers, but far away from being user friendly. People should not need to be a rocket scientist when they try to change simple things in TS3.

Hope this will change in the final version.

Just my 2 cents.

[dante696]

We are currently working on an easy mode for our permission system.
But this means you only set some checkboxes and permissiosn (power / needed) will be set automatically. This means if you really need to change values etc, then you still have to use the expert mode.

[R3M__]

We are currently working on an easy mode for our permission system.
But this means you only set some checkboxes and permissiosn (power / needed) will be set automatically. This means if you really need to change values etc, then you still have to use the expert mode.

Thanks dante, this sounds promising. Keep up the good work!

[Alcazar]

Even the permission system is complex (currently it has 217 (!!) single permissions), Devs wont set the default so, that guests can do anything. Then you dont need any registered users, CA or SA.

@DarkRaven: Do you host yourself or rented? Maybe your host put a mess to the default permissions.
This are the real default permissions for guest server group in TS3 (Beta 25)

Code:

insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "b_channel_create_modify_with_codec_speex16", 1, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "b_channel_create_modify_with_codec_speex8", 1, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "b_channel_create_temporary", 1, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "b_channel_create_with_maxclients", 1, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "b_channel_create_with_needed_talk_power", 1, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "b_channel_create_with_password", 1, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "b_channel_create_with_topic", 1, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "b_channel_info_view", 1, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "b_channel_join_permanent", 1, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "b_channel_join_semi_permanent", 1, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "b_channel_join_temporary", 1, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "b_channel_modify_description", 0, 0, 1);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "b_channel_modify_make_semi_permanent", 0, 0, 1);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "b_channel_modify_maxfamilyclients", 0, 0, 1);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "b_channel_modify_sortorder", 0, 0, 1);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "b_client_ban_delete_own", 1, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "b_client_channel_textmessage_send", 1, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "b_client_complain_delete_own", 1, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "b_client_info_view", 1, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "b_virtualserver_token_use", 1, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "i_channel_create_modify_with_codec_latency_factor_min", 1, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "i_channel_create_modify_with_codec_maxquality", 7, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "i_channel_max_depth", 0, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "i_client_max_avatar_filesize", 51200, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "i_client_max_channel_subscriptions", -1, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "i_client_max_clones", 0, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "i_client_needed_ban_power", 25, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "i_client_needed_kick_power", 25, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "i_client_needed_move_power", 25, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "i_client_needed_serverquery_view_power", 75, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "i_ft_file_browse_power", 25, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "i_ft_file_download_power", 25, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "i_ft_quota_mb_download_per_client", -1, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "i_ft_quota_mb_upload_per_client", -1, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "i_group_auto_update_type", 4, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 5, 0, "i_group_needed_modify_power", 75, 0, 0);

[Alcazar]

And this for the Guest Query Group.

Code:

insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 1, 0, "b_serverinstance_help_view", 1, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 1, 0, "b_serverinstance_version_view", 1, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 1, 0, "b_serverquery_login", 1, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 1, 0, "b_virtualserver_select", 1, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 1, 0, "i_client_needed_modify_power", 100, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 1, 0, "i_group_auto_update_type", 0, 0, 0);
insert into perm_server_group (server_id, id1, id2, perm_id, perm_value, perm_negated, perm_skip) values (0, 1, 0, "i_group_needed_modify_power", 100, 0, 0);

[-Striker-]

The same on my server:

->Player joined, gets all rights
-> offended players (DOES NOT WORK!!!!!)
->Banned all players
->created the channel "Update to beta25"

[poisonpanik]

That must have been Dante's alter ego

Hopefully you took the suggestion and got your server updated.

[thunder63cs]

I run one ts server and the guild I am in in another game has there own. The one I dont run was hacked by beer. I was on during this and the ppl stripped the server admins of thier rights first even though they showed as guest on both server and channel status. This was a build 25. We set up a new one on a different server and same thing happened.

I have looked over my set up and do not see anything in the permissions that would allow anyone any special access or control if they were a guest. We did find several posted hacks on different sites when we started investigating. Hope this helps the admins find a fix quick...


more exploit code...
OSVDB-ID: 65551
http://www.exploit-db.com/exploits/13959/
http://osvdb.org/show/osvdb/65551

[Alcazar]

@Striker: If you dont update your server or get your host to do this, dont complain about hacking.

@thunder63cs: Did you check also the template groups / server query groups for unwanted users? Maybe they created a backdoor.

[dante696]

thunder63cs
this is no server 25 Hack! The code is exactly the same version as the beta23 hack and it does not work here on beta 25 /26.