TeamSpeak Insecure File Permissions Vulnerability Allowing Privilege Escalation

A vulnerability in TeamSpeak version 3.5.6 allows local attackers to exploit insecure file permissions. This flaw enables the replacement of executable files with malicious binaries. By substituting system executables such as ts3client_win32.exe with custom files, attackers could potentially gain SYSTEM or Administrator-level access.

Impact

Exploitation of this vulnerability could lead to unauthorized replacement of executable files, allowing for execution of malicious binaries with elevated privileges, such as SYSTEM or Administrator rights.

Reproduction

The vulnerability can be reproduced by first verifying the insecure file permissions using the 'icacls' command, which shows that the executable files are accessible with full control permissions for the user and administrators. After confirming the permission issue, any executable file can be replaced with a malicious one. Once the replacement is made, the substituted executable can be executed to gain elevated privileges.