← Advisories

RoyalTSX 6.0.1 RTSZ File Handling Heap Memory Corruption PoC

Medium

Advisory ID

ZSL-2023-5788

Release Date

22 September 2023

Vendor

Royal Apps GmbH - https://www.royalapps.com

Affected Version

6.0.1.1000 (macOS)

CVE

CVE-2023-52277

Tested On

MacOS 13.5.1 (Ventura)

Summary

Royal TS is an ideal tool for system engineers and other IT professionals who need remote access to systems with different protocols. Not only easy to use, it enables secure multi-user document sharing.

Description

The application receives SIGABRT after RAPortCheck.createNWConnection() function is handling the SecureGatewayHost object in the RoyalTSXNativeUI. When the hostname has an array of around 1600 bytes and Test Connection is clicked the app crashes instantly.

Proof of Concept

royaltsx_mem.txtTXT

royaltsx_poc.rarRAR

Disclosure Timeline

05.09.2023Vulnerability discovered.

07.09.2023Sent crash report to the vendor.

08.09.2023Vendor responds asking more details.

08.09.2023Sent details to vendor.

11.09.2023Working with the vendor.

11.09.2023Vendor confirms this is a bug in the RotalTSX's Swift wrapper for Apple's Network framework. The fix will be included in the next upcoming minor update.

12.09.2023Replied to the vendor.

22.09.2023Vendor releases beta version 6.0.2.1 to address this issue.

22.09.2023Replied to the vendor.

22.09.2023Coordinated public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic
High five to Felix!

References

[1]https://support.royalapps.com/support/solutions/articles/17000027755

[2]https://developer.apple.com/documentation/network/nwendpoint/hostport_host_port

[3]https://developer.apple.com/documentation/network/2976720-nw_endpoint_create_host

[4]https://packetstormsecurity.com/files/174827/

[5]https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-52277