RoyalTSX 6.0.1 RTSZ File Handling Heap Memory Corruption PoC
Title: RoyalTSX 6.0.1 RTSZ File Handling Heap Memory Corruption PoC
Advisory ID: ZSL-2023-5788
Type: Local/Remote
Impact: System Access, DoS
Risk: (3/5)
Release Date: 22.09.2023
[07.09.2023] Sent crash report to the vendor.
[08.09.2023] Vendor responds asking more details.
[08.09.2023] Sent details to vendor.
[11.09.2023] Working with the vendor.
[11.09.2023] Vendor confirms this is a bug in the RotalTSX's Swift wrapper for Apple's Network framework. The fix will be included in the next upcoming minor update.
[12.09.2023] Replied to the vendor.
[22.09.2023] Vendor releases beta version 6.0.2.1 to address this issue.
[22.09.2023] Replied to the vendor.
[22.09.2023] Coordinated public security advisory released.
royaltsx_poc.rar
High five to Felix!
[2] https://developer.apple.com/documentation/network/nwendpoint/hostport_host_port
[3] https://developer.apple.com/documentation/network/2976720-nw_endpoint_create_host
[4] https://packetstormsecurity.com/files/174827/
[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-52277
[6] https://nvd.nist.gov/vuln/detail/CVE-2023-52277
[7] https://security-tracker.debian.org/tracker/CVE-2023-52277
[8] https://www.tenable.com/cve/CVE-2023-52277
[9] https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2023-52277
[10] https://exchange.xforce.ibmcloud.com/vulnerabilities/277370
[11] https://www.exploit-db.com/exploits/51764
[25.09.2023] - Added reference [4]
[04.01.2024] - Added reference [5], [6], [7], [8], [9] and [10]
[31.01.2024] - Added reference [11]
Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2023-5788
Type: Local/Remote
Impact: System Access, DoS
Risk: (3/5)
Release Date: 22.09.2023
Summary
Royal TS is an ideal tool for system engineers and other IT professionals who need remote access to systems with different protocols. Not only easy to use, it enables secure multi-user document sharing.Description
The application receives SIGABRT after RAPortCheck.createNWConnection() function is handling the SecureGatewayHost object in the RoyalTSXNativeUI. When the hostname has an array of around 1600 bytes and Test Connection is clicked the app crashes instantly.Vendor
Royal Apps GmbH - https://www.royalapps.comAffected Version
6.0.1.1000 (macOS)Tested On
MacOS 13.5.1 (Ventura)Vendor Status
[05.09.2023] Vulnerability discovered.[07.09.2023] Sent crash report to the vendor.
[08.09.2023] Vendor responds asking more details.
[08.09.2023] Sent details to vendor.
[11.09.2023] Working with the vendor.
[11.09.2023] Vendor confirms this is a bug in the RotalTSX's Swift wrapper for Apple's Network framework. The fix will be included in the next upcoming minor update.
[12.09.2023] Replied to the vendor.
[22.09.2023] Vendor releases beta version 6.0.2.1 to address this issue.
[22.09.2023] Replied to the vendor.
[22.09.2023] Coordinated public security advisory released.
PoC
royaltsx_mem.txtroyaltsx_poc.rar
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>High five to Felix!
References
[1] https://support.royalapps.com/support/solutions/articles/17000027755[2] https://developer.apple.com/documentation/network/nwendpoint/hostport_host_port
[3] https://developer.apple.com/documentation/network/2976720-nw_endpoint_create_host
[4] https://packetstormsecurity.com/files/174827/
[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-52277
[6] https://nvd.nist.gov/vuln/detail/CVE-2023-52277
[7] https://security-tracker.debian.org/tracker/CVE-2023-52277
[8] https://www.tenable.com/cve/CVE-2023-52277
[9] https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2023-52277
[10] https://exchange.xforce.ibmcloud.com/vulnerabilities/277370
[11] https://www.exploit-db.com/exploits/51764
Changelog
[22.09.2023] - Initial release[25.09.2023] - Added reference [4]
[04.01.2024] - Added reference [5], [6], [7], [8], [9] and [10]
[31.01.2024] - Added reference [11]
Contact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
