Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-31068: OffSec’s Exploit Database Archive

An issue was discovered in TSplus Remote Access through 16.0.2.14. There are Full Control permissions for Everyone on some directories under %PROGRAMFILES(X86)%\TSplus\UserDesktop\themes.

CVE
Open in Source
#web#windows#js#git#java#auth
# Exploit Title: TSplus 16.0.0.0 - Remote Work Insecure Files and Folders Permissions
# Date: 2023-08-09
# Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia
# Vendor Homepage: https://tsplus.net/
# Version: Up to 16.0.0.0
# Tested on: Windows
# CVE : CVE-2023-31068

With TSPlus Remote Work (v. 16.0.0.0) you can create a secure single 
sign-on web portal and remote desktop gateway that enables users to 
remotely access the console session of their office PC.
The solution comes with an embedded web server to allow remote users to 
easely connect remotely.
However, insecure file and folder permissions are set, and this could 
allow a malicious user to manipulate file content (e.g.: changing the 
code of html pages or js scripts) or change legitimate files (e.g. 
Setup-RemoteWork-Client.exe) in order to compromise a system or to gain 
elevated privileges.

This is the list of insecure files and folders with their respective 
permissions:

Permission: Everyone:(OI)(CI)(F)

C:\Program Files (x86)\TSplus-RemoteWork\Clients\www
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\downloads
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\prints
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\var
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\remoteapp
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\downloads\shared
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\js
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\html5\locales
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\own
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\des
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\key
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\topmenu
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\key\parts
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\img
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\java\img\cp
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\java\img\srv
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\java\third\images
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\java\third\js
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\java\third\images\bramus
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\java\third\js\prototype
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\var\log

-------------------------------------------------------------------------------------------

Permission: Everyone:(F)

C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\robots.txt
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\cgi-bin\hb.exe.config
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\cgi-bin\SessionPrelaunch.Common.dll.config
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\cgi-bin\remoteapp\index.html
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\common.js
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\lang.js
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\download\Setup-RemoteWork-Client.exe
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres\jwwebsockify.jar
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres\web.jar
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\html5\own\exitlist.html
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\html5\own\exitupload.html
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\java\index.html
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\java\img\index.html
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\java\img\port.bin
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\java\third\jws.js
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\java\third\sha256.js
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\java\third\js\prototype\prototype.js
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\js\jquery.min.js

Related news

CVE-2023-27133: TSPlus 16.0.0.0 Insecure Permissions ≈ Packet Storm

TSplus Remote Work 16.0.0.0 has weak permissions for .exe, .js, and .html files under the %PROGRAMFILES(X86)%\TSplus-RemoteWork\Clients\www folder. This may enable privilege escalation if a different local user modifies a file. NOTE: CVE-2023-31067 and CVE-2023-31068 are only about the TSplus Remote Access product, not the TSplus Remote Work product.

TSPlus 16.0.0.0 Insecure Permissions

TSPlus version 16.0.0.0 suffers from an insecure permissions vulnerability.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE