Games > TeamSpeak 3 > Forum > TeamSpeak 3 Server Administration & Help > Demonstration of another TS admin hack technique and how to prevent it.
Vultr.com - Instant Cloud Server Deployment
Game Rank
Servers:
Teams:
Fans:
69174
Players:
35739
Forum Home > TeamSpeak 3 Server Administration & Help > Demonstration of another TS admin hack technique and how to prevent it.
morthawtPM
#1
Demonstration of another TS admin hack technique and how to prevent it.
Sep 14, 2014 10:20 AM
Joined: Jul 20, 2012
Posts: 83
https://www.youtube.com/watch?v=-ocBJKFTwSQ

You should always set up your server groups and channel groups one permission at a time and go through all of them. This video shows you how to get full server admin in a server where you have some admin power that has been given to you on a server where the permissions have not been set up correctly.

It also shows you how to prevent this from happening so you can all protect your servers from this.
iraqiboy90PM
#2
Sep 25, 2014 4:08 PM
Joined: Apr 12, 2012
Posts: 14
1.
You do not give any power at all to the "Group Modify Power" if you dont want that group to have any power to modify!
What you need to edit, is to set the following, if you haven't done so:
- Needed Group Modify Power
- Needed Group Member Add Power
- Needed Group Remove Power
The "needed" permissions options are the one that says what is the power level needed to modify the selected group.
You set those options above to have the power level of what a "Server Admin" has.

In the following example, Server Admin and Deputy Admin has the right permissions, but Assistant Admin has the wrong/mistaken permission.

"Server Admin" has
- Group Modify Power set to "75"
- Needed Group Modify Power set to "75"

"Deputy Admin" has
- Group Modify Power set to "nothing". Right Click and "remove permission" if you haven't done so.
- Needed Group Modify Power set to "50"

"Assistant Admin" has
- Group Modify Power set to "50"
- Needed Group Modify Power set to "50"

Now, with the permissions above:
- Server Admin can modify the group of Deputy Admin & Assistant Admin, because it has higher permission level than what is needed on the others.
- Deputy Admin can NOT modify the group of itself (Deputy Admin) or any other group, because it does not have ANY modify power than what is needed on the others.
- Assistant Admin has the power to modify Deputy Admin, because it has the permission level same as the what is needed to modify "Deputy Admin".
- Assistant Admin does not have the power to modify Server Admin, because it has a lower level (50) than what Server Admin requires (70)

What is VERY important to set is the "Needed [type of permission]", otherwise, you guests will have the power to modify any other group that doesnt have that set, and new created groups will also have the power to modify if the other doesnt have it set.


2.
"Modify Virtual Server [bla bla]" is not needed to disable if you havnt messed up and given new users to have the Server Admin as default group.
Last edited by: iraqiboy90 Sep 25, 2014 4:39 PM
iraqiboy90PM
#3
Sep 25, 2014 4:19 PM
Joined: Apr 12, 2012
Posts: 14
another example of point 1 above.

Correct permissions:

The following groups are listed (first is the highest rank)
1. Server Admin
2. Assistant Admin
3. Member


Server Admin has:
- Group Add Power (80)
- Group Remove Power (80)
- Needed Group Add Power (80)
- Needed Group Remove Power (80)

Assistant Admin has:
- Group Add Power (75)
- Group Remove Power (75)
- Needed Group Add Power (80)
- Needed Group Remove Power (80)

Member has:
- Group Add Power (none)
- Group Remove Power (none)
- Needed Group Add Power (75)
- Needed Group Remove Power (75)

With the above;
- Server Admin can assign users to have Assistant Admin or Member, and can remove them from their position.
- Assistant Admin can assign users to have Member position, can remove Member from their position, but cannot assign users as Assistant Admin or Server Admin, and cannot remove themselves from their own position.
- Member cannot assign users to have anything, and cannot remove himself from that position.
morthawtPM
#4
Sep 25, 2014 4:21 PM
Joined: Jul 20, 2012
Posts: 83
Nobody should have add power of 80. The only way to do that is to have absolute control over the server, which most people do not since they rent their server from a provider.
iraqiboy90PM
#5
Sep 25, 2014 4:23 PM
Joined: Apr 12, 2012
Posts: 14
morthawt wrote:
Nobody should have add power of 80. The only way to do that is to have absolute control over the server, which most people do not since they rent their server from a provider.


Only the one usergroup where you want to give it full power.
The permission level are from 0 to 100, so you can use whatever level you want as long as you set it correctly.

and yes, some providers give you your own dedicated teamspeak server where you will have full access with query, but some providers gives you a virtual teamspeak server, where you cannot have access to query.
Last edited by: iraqiboy90 Sep 25, 2014 4:31 PM
morthawtPM
#6
Sep 25, 2014 4:30 PM
Joined: Jul 20, 2012
Posts: 83
There is no need to go above 75 for permissions like that. In fact increasing systemic permissions like that via "special" means can cause all sorts of issues and if someone has done that and asks me for help I won't help them. It is too frustrating dealing with a server that has had systemic permissions set >75, especially by people using admin server query group.
iraqiboy90PM
#7
Sep 25, 2014 4:35 PM
Joined: Apr 12, 2012
Posts: 14
morthawt wrote:
There is no need to go above 75 for permissions like that. In fact increasing systemic permissions like that via "special" means can cause all sorts of issues and if someone has done that and asks me for help I won't help them. It is too frustrating dealing with a server that has had systemic permissions set >75, especially by people using admin server query group.


If you dont want to go above 75 then that's still ok.

What I was trying to point out on my first reply is that the needed part of the permission are the
[Needed Group Modify Power]
[Needed Group Add Power]
[Needed ect.]

This way you are going to save the groups from being "hijacked" or edited.
morthawtPM
#8
Nov 29, 2014 11:59 AM
Joined: Jul 20, 2012
Posts: 83
This is a serious thing. The video linked in the first post just received a comment from another popular TeamSpeak video tutorial maker who said his server was also at risk by this simple mistake.

So if even experienced people can fall victim to this, please watch the video and maybe some of the other TS ones on the same channel to learn how to prevent this taking your server down and other techniques on the other videos.

The video linked in the first post: https://www.youtube.com/watch?v=-ocBJKFTwSQ