Headline
CVE-2023-27133: TSPlus 16.0.0.0 Insecure Permissions ≈ Packet Storm
TSplus Remote Work 16.0.0.0 has weak permissions for .exe, .js, and .html files under the %PROGRAMFILES(X86)%\TSplus-RemoteWork\Clients\www folder. This may enable privilege escalation if a different local user modifies a file. NOTE: CVE-2023-31067 and CVE-2023-31068 are only about the TSplus Remote Access product, not the TSplus Remote Work product.
# Exploit Title: TSplus 16.0.0.0 - Remote Work Insecure Files and Folders Permissions# Date: 2023-08-09# Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia# Vendor Homepage: https://tsplus.net/# Version: Up to 16.0.0.0# Tested on: Windows# CVE : CVE-2023-31068With TSPlus Remote Work (v. 16.0.0.0) you can create a secure single sign-on web portal and remote desktop gateway that enables users to remotely access the console session of their office PC.The solution comes with an embedded web server to allow remote users to easely connect remotely.However, insecure file and folder permissions are set, and this could allow a malicious user to manipulate file content (e.g.: changing the code of html pages or js scripts) or change legitimate files (e.g. Setup-RemoteWork-Client.exe) in order to compromise a system or to gain elevated privileges.This is the list of insecure files and folders with their respective permissions:Permission: Everyone:(OI)(CI)(F)C:\Program Files (x86)\TSplus-RemoteWork\Clients\wwwC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-binC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\downloadC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\downloadsC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\printsC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\softwareC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\varC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\remoteappC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\downloads\sharedC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\javaC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\jsC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgsC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\jwresC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\localesC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\ownC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\desC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\keyC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\topmenuC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\key\partsC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\imgC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\thirdC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\img\cpC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\img\srvC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third\imagesC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third\jsC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third\images\bramusC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third\js\prototypeC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\var\log-------------------------------------------------------------------------------------------Permission: Everyone:(F)C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\robots.txtC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\hb.exe.configC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\SessionPrelaunch.Common.dll.configC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\remoteapp\index.htmlC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\common.jsC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\lang.jsC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\Setup-RemoteWork-Client.exeC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres\jwwebsockify.jarC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres\web.jarC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\own\exitlist.htmlC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\own\exitupload.htmlC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\index.htmlC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\img\index.htmlC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\img\port.binC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third\jws.jsC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third\sha256.jsC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third\js\prototype\prototype.jsC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\js\jquery.min.js
Related news
CVE-2023-31068: OffSec’s Exploit Database Archive
An issue was discovered in TSplus Remote Access through 16.0.2.14. There are Full Control permissions for Everyone on some directories under %PROGRAMFILES(X86)%\TSplus\UserDesktop\themes.
TSPlus 16.0.0.0 Insecure Permissions
TSPlus version 16.0.0.0 suffers from an insecure permissions vulnerability.