Headline
CVE-2023-31067: OffSec’s Exploit Database Archive
An issue was discovered in TSplus Remote Access through 16.0.2.14. There are Full Control permissions for Everyone on some directories under %PROGRAMFILES(X86)%\TSplus\Clients\www.
# Exploit Title: TSplus 16.0.2.14 - Remote Access Insecure Files and Folders Permissions
# Date: 2023-08-09
# Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia
# Vendor Homepage: https://tsplus.net/
# Version: Up to 16.0.2.14
# Tested on: Windows
# CVE : CVE-2023-31067
TSplus Remote Access (v. 16.0.2.14) is an alternative to Citrix and
Microsoft RDS for remote desktop access and Windows application
delivery. Web-enable your legacy apps, create SaaS solutions or remotely
access your centralized corporate tools and files.
The TSplus Remote Access solution comes with an embedded web server to
allow remote users to easely connect remotely.
However, insecure file and folder permissions are set and this could
allow a malicious user to manipulate file content (e.g.: changing the
code of html pages or js scripts) or change legitimate files (e.g.
Setup-VirtualPrinter-Client.exe) in order to compromise a system or to
gain elevated privileges.
This is the list of insecure files and folders with their respective
permissions:
Everyone:(OI)(CF)(F) and Everyone(F)
Permission: Everyone:(OI)(CI)(F)
C:\Program Files (x86)\TSplus\Clients\www
C:\Program Files (x86)\TSplus\Clients\www\addons
C:\Program Files (x86)\TSplus\Clients\www\ConnectionClient
C:\Program Files (x86)\TSplus\Clients\www\downloads
C:\Program Files (x86)\TSplus\Clients\www\prints
C:\Program Files (x86)\TSplus\Clients\www\RemoteAppClient
C:\Program Files (x86)\TSplus\Clients\www\software
C:\Program Files (x86)\TSplus\Clients\www\var
C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\remoteapp
C:\Program Files (x86)\TSplus\Clients\www\downloads\shared
C:\Program Files (x86)\TSplus\Clients\www\software\java
C:\Program Files (x86)\TSplus\Clients\www\software\js
C:\Program Files (x86)\TSplus\Clients\www\software\html5\jwres
C:\Program Files (x86)\TSplus\Clients\www\software\html5\locales
C:\Program Files (x86)\TSplus\Clients\www\software\html5\imgs\topmenu
C:\Program Files (x86)\TSplus\Clients\www\software\html5\imgs\key\parts
C:\Program Files (x86)\TSplus\Clients\www\software\java\img
C:\Program Files (x86)\TSplus\Clients\www\software\java\third
C:\Program Files (x86)\TSplus\Clients\www\software\java\img\cp
C:\Program Files (x86)\TSplus\Clients\www\software\java\img\srv
C:\Program Files (x86)\TSplus\Clients\www\software\java\third\images
C:\Program Files (x86)\TSplus\Clients\www\software\java\third\js
C:\Program Files
(x86)\TSplus\Clients\www\software\java\third\images\bramus
C:\Program Files
(x86)\TSplus\Clients\www\software\java\third\js\prototype
C:\Program Files (x86)\TSplus\Clients\www\var\log
C:\Program Files (x86)\TSplus\UserDesktop\themes
C:\Program Files (x86)\TSplus\UserDesktop\themes\BlueBar
C:\Program Files (x86)\TSplus\UserDesktop\themes\Default
C:\Program Files (x86)\TSplus\UserDesktop\themes\GreyBar
C:\Program Files (x86)\TSplus\UserDesktop\themes\Logon
C:\Program Files (x86)\TSplus\UserDesktop\themes\MenuOnTop
C:\Program Files (x86)\TSplus\UserDesktop\themes\Seamless
C:\Program Files (x86)\TSplus\UserDesktop\themes\ThinClient
C:\Program Files (x86)\TSplus\UserDesktop\themes\Vista
------------------------------------------------------------------------------
Permission: Everyone:(F)
C:\Program Files (x86)\TSplus\Clients\www\all.min.css
C:\Program Files (x86)\TSplus\Clients\www\custom.css
C:\Program Files (x86)\TSplus\Clients\www\popins.css
C:\Program Files (x86)\TSplus\Clients\www\robots.txt
C:\Program Files
(x86)\TSplus\Clients\www\addons\Setup-VirtualPrinter-Client.exe
C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\hb.exe.config
C:\Program Files
(x86)\TSplus\Clients\www\cgi-bin\SessionPrelaunch.Common.dll.config
C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\remoteapp\index.html
C:\Program Files (x86)\TSplus\Clients\www\RemoteAppClient\index.html
C:\Program Files (x86)\TSplus\Clients\www\software\common.css
C:\Program Files
(x86)\TSplus\Clients\www\software\html5\jwres\jwwebsockify.jar
C:\Program Files (x86)\TSplus\Clients\www\software\html5\jwres\web.jar
C:\Program Files
(x86)\TSplus\Clients\www\software\html5\own\exitlist.html
C:\Program Files
(x86)\TSplus\Clients\www\software\html5\own\exitupload.html
C:\Program Files
(x86)\TSplus\Clients\www\software\html5\own\getlist.html
C:\Program Files
(x86)\TSplus\Clients\www\software\html5\own\getupload.html
C:\Program Files
(x86)\TSplus\Clients\www\software\html5\own\postupload.html
C:\Program Files
(x86)\TSplus\Clients\www\software\html5\own\uploaderr.html
C:\Program Files (x86)\TSplus\Clients\www\software\java\index.html
C:\Program Files (x86)\TSplus\Clients\www\software\java\img\index.html
C:\Program Files (x86)\TSplus\Clients\www\software\java\img\port.bin
C:\Program Files (x86)\TSplus\Clients\www\software\java\third\jws.js
C:\Program Files (x86)\TSplus\Clients\www\software\java\third\sha256.js
C:\Program Files
(x86)\TSplus\Clients\www\software\java\third\js\prototype\prototype.js
C:\Program Files (x86)\TSplus\Clients\www\software\js\jquery.min.js
Related news
TSPlus 16.0.2.14 Insecure Permissions
TSPlus version 16.0.2.14 suffers from an insecure permissions vulnerability.