Teamspeak Login generates Surricata alert: Base64 HTTP Password detected unencrypted on

ghar36k

Logging in using the Teamspeak 6.0.0-beta3.4 Linux client generates the following Surricata alert:

ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted

It's a single alert that occurs only on login to the Teamspeak service. The IP address on the receiving end is associated with Teamspeak. The client was downloaded from the official website. Just as a test, I tried the version listed in the Arch User Repository and it exhibits the same behaviour.

Downgrading to Teamspeak 3.6.2 does not generate the alert.

How likely is this to be a false positive? Is it possible that the latest Teamspeak client is sending my login credentials plain text across the internet?

johnpoz

@ghar36k do a packet capture and see.

SteveITS

@ghar36k Just to say it, Suricata can’t see into HTTPS/encrypted packets. One might argue it could be incorrect pattern matching …hence the packet capture. Base64 is encoding not encryption.

johnpoz

@SteveITS exactly - sniff would see right away if there is any traffic outside of https.. And the ips isn't seeing inside https.

It's possible that screenshare and voice isn't encrypted? But that would seem insane these days. Doesn't mean its a "password" as Steve mentions could be just seeing some encoding and taking it as a password?

I would just sniff and see for myself.

ghar36k

@johnpoz Is there a way to do that within pfSense?

@johnpoz said in Teamspeak Login generates Surricata alert: Base64 HTTP Password detected unencrypted on:

@SteveITS exactly - sniff would see right away if there is any traffic outside of https.. And the ips isn't seeing inside https.

It's possible that screenshare and voice isn't encrypted? But that would seem insane these days. Doesn't mean its a "password" as Steve mentions could be just seeing some encoding and taking it as a password?

I would just sniff and see for myself.

Teampseak has the option to selected end-to-end encrypted chats which is the only thing I've tested so far.

As for the screen share and voice, I haven't joined a voice server or tried the screen sharing yet so I can't imagine it's just generating traffic like that without me using the feature.

The only time I get an alert in Surricata is right after I hit the login button. After that, it's quiet.

johnpoz

@ghar36k if that is the case that seems insane in this day and age to be honest. I would do a packet capture, start the capture before you click your login and get the warning. Prob want to set the packet limit to 0 vs the default 1000.

Do you see the alert, then look into the packet capture - download and using something like wireshark make it easier to read the pcap for sure.

Do you see anything in the clear, or is all just https traffic. If something is encode with just base 64, it would be very easy to decode. There are many places on the net to paste in base64 and view it decoded.

If you know where the data is being sent, you mention the IP seems legit.. Does it change when you do this test multiple times? If not be much easier to limit your packet capture to just that IP so it won't contain other traffic.

I would also check on their forums, or send them a support request asking about it and the warning your seeing in your ips.

I don't use teamspeak, or I would be very happy to look into it as well - quite possible other pfsense users do use it, maybe they will chime in?

ghar36k

@johnpoz said in Teamspeak Login generates Surricata alert: Base64 HTTP Password detected unencrypted on:

@ghar36k if that is the case that seems insane in this day and age to be honest. I would do a packet capture, start the capture before you click your login and get the warning. Prob want to set the packet limit to 0 vs the default 1000.

Do you see the alert, then look into the packet capture - download and using something like wireshark make it easier to read the pcap for sure.

Do you see anything in the clear, or is all just https traffic. If something is encode with just base 64, it would be very easy to decode. There are many places on the net to paste in base64 and view it decoded.

If you know where the data is being sent, you mention the IP seems legit.. Does it change when you do this test multiple times? If not be much easier to limit your packet capture to just that IP so it won't contain other traffic.

I would also check on their forums, or send them a support request asking about it and the warning your seeing in your ips.

I don't use teamspeak, or I would be very happy to look into it as well - quite possible other pfsense users do use it, maybe they will chime in?

It's the same IP address every time.

It took a little longer to generate the IPS alert when I was doing the packet capture this time (30 seconds to a minute).

The alert in Surricata indicates the destination port is port 80 but when I was doing the packet capture it's showing the destination port as 41444. I'm not sure if it grabbed the right packet so I'm going to try again.

I've kept the application open for 20-30 minutes after the first capture and it's not generating any additional alerts. The alerts only seem to come immediately/shortly after login.

I'm also not seeing any actual data username/password (not that I'm super familiar with how to read a PCAP in wire shark).

ghar36k

The IP address looks like it belongs to The Official Teamspeak Community Server. When I join the server the packet capture filtered to that address in pfSense starts capturing a ton of packets.

I hadn't actually joined the server prior to this.

What I think is happening: Since it seems like a default installed server, when I logged in it was sending something on port 80 to that server that generated an alert in Surricata.

The problem I'm having now trying to capture the packet for a Surricata alert is when I deleted/re-added the server, I can't get it to generate an alert anymore. So I have no idea if that was an actual false positive.

ghar36k

@johnpoz said in Teamspeak Login generates Surricata alert: Base64 HTTP Password detected unencrypted on:

@ghar36k if that is the case that seems insane in this day and age to be honest. I would do a packet capture, start the capture before you click your login and get the warning. Prob want to set the packet limit to 0 vs the default 1000.

Do you see the alert, then look into the packet capture - download and using something like wireshark make it easier to read the pcap for sure.

Do you see anything in the clear, or is all just https traffic. If something is encode with just base 64, it would be very easy to decode. There are many places on the net to paste in base64 and view it decoded.

If you know where the data is being sent, you mention the IP seems legit.. Does it change when you do this test multiple times? If not be much easier to limit your packet capture to just that IP so it won't contain other traffic.

I would also check on their forums, or send them a support request asking about it and the warning your seeing in your ips.

I don't use teamspeak, or I would be very happy to look into it as well - quite possible other pfsense users do use it, maybe they will chime in?

I tried again after running an errand and I think I caught it. It's showing a connection to Host: update.teamspeak.com\r\n
User-Agent: teamspeak.downloader/1.0\r\n

Then there's a section for:
Authorization:
Credentials: teamspeak5:
With a string of letters and numbers after the teamspeak5: that I'm not going to post here. It doesn't seem like it's my login info unless it's encoded in some way. The info in the " Authorization:" section is just the Base64 of the Credentials so I think this is what's triggering Surricata.

johnpoz

@ghar36k if its just base64 you could go like here and decode it

https://www.authgear.com/tools/base64-decode-encode

example, I put in password and encoded it

You can paste in the encoded test and see what it comes out as decoded.

ghar36k

@johnpoz The decoded base 64 isn't something I recognise. It's simply "teamspeak5:" and then a random string of numbers/letters/symbols.