exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

RoyalTS SSH Tunnel Authentication Bypass

RoyalTS SSH Tunnel Authentication Bypass
Posted Jun 9, 2020
Authored by Michele Toccagni

RoyalTS SSH Tunnel versions prior to 5 for Windows suffer from an authentication bypass vulnerability.

tags | advisory, bypass
systems | windows
advisories | CVE-2020-13872
SHA-256 | 1a8db84c812d8d110796638e2e38f42e172e4cb2bfb9498b798176f53999e5e2

RoyalTS SSH Tunnel Authentication Bypass

Change Mirror Download
RoyalTS SSH Tunnel - Authentication Bypass
===============================================================================

Identifiers
-------------------------------------------------
* CVE-2020-13872


CVSSv3 score
-------------------------------------------------
8.8 - [AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L](
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L&version=3.1
)


Vendor
-------------------------------------------------
RoyalApps - https://www.royalapps.com/


Product
-------------------------------------------------
Royal TS provides powerful, easy and secure access to your remote
systems.
It's the perfect tool for server admins, system engineers, developers
and IT focused information workers
who constantly need to access remote systems with different protocols
(like RDP, VNC, SSH, HTTP/S, and many more.).


Affected versions
-------------------------------------------------
- All versions prior to RoyalTS v5 for Windows.


Credit
-------------------------------------------------
Michele Toccagni - toccagni.info


Vulnerability summary
-------------------------------------------------
This vulnerability allows a remote attackers to bypass the
authentication of the tunnel
and gain access to an internal network. The problem is that, once a
SSH tunnel is created on the bridge host with a Secure Gateway, this
tunnel will listen on the address 0.0.0.0 on the port opened ad hoc by
RoyalTS (higher than 50000), leaving the possibility for anyone to
exploit the tunnel without having to authenticate to it.
The attacker could easily bruteforce the ssh/rdp login in the internal
network, or,
even worse, if the hosts aren't patched, could use some known exploits
and perform lateral movements.
The vulnerability is fixed in the current major release (Royal TS V5).



Proof of concept
-------------------------------------------------
I wrote a detailed blog post to explain the bug:
https://hacktips.it/royalts-ssh-tunnel-authentication-bypass/

Solution
-------------------------------------------------
Upgrade to RoyalTS V5 for Windows

Timeline
-------------------------------------------------
Date | Status
------------|---------------------
04-JUN-2020 | Reported to vendor
04-JUN-2020 | Vendor replied that it's a known bug and it's fixed on the
last major version
06-JUN-2020 | CVE assigned
08-JUN-2020 | Public disclosure


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close