Headline
RoyalTSX 6.0.1 RTSZ File Handling Heap Memory Corruption PoC
The application receives SIGABRT after RAPortCheck.createNWConnection() function is handling the SecureGatewayHost object in the RoyalTSXNativeUI. When the hostname has an array of around 1600 bytes and Test Connection is clicked the app crashes instantly.
Title: RoyalTSX 6.0.1 RTSZ File Handling Heap Memory Corruption PoC
Advisory ID: ZSL-2023-5788
Type: Local/Remote
Impact: System Access, DoS
Risk: (3/5)
Release Date: 22.09.2023
Summary
Royal TS is an ideal tool for system engineers and other IT professionals who need remote access to systems with different protocols. Not only easy to use, it enables secure multi-user document sharing.
Description
The application receives SIGABRT after RAPortCheck.createNWConnection() function is handling the SecureGatewayHost object in the RoyalTSXNativeUI. When the hostname has an array of around 1600 bytes and Test Connection is clicked the app crashes instantly.
Vendor
Royal Apps GmbH - https://www.royalapps.com
Affected Version
6.0.1.1000 (macOS)
Tested On
MacOS 13.5.1 (Ventura)
Vendor Status
[05.09.2023] Vulnerability discovered.
[07.09.2023] Sent crash report to the vendor.
[08.09.2023] Vendor responds asking more details.
[08.09.2023] Sent details to vendor.
[11.09.2023] Working with the vendor.
[11.09.2023] Vendor confirms this is a bug in the RotalTSX’s Swift wrapper for Apple’s Network framework. The fix will be included in the next upcoming minor update.
[12.09.2023] Replied to the vendor.
[22.09.2023] Vendor releases beta version 6.0.2.1 to address this issue.
[22.09.2023] Replied to the vendor.
[22.09.2023] Coordinated public security advisory released.
PoC
royaltsx_mem.txt
royaltsx_poc.rar
Credits
Vulnerability discovered by Gjoko Krstic - <[email protected]>
High five to Felix!
References
[1] https://support.royalapps.com/support/solutions/articles/17000027755
[2] https://developer.apple.com/documentation/network/nwendpoint/hostport_host_port
[3] https://developer.apple.com/documentation/network/2976720-nw_endpoint_create_host
Changelog
[22.09.2023] - Initial release
Contact
Zero Science Lab
Web: https://www.zeroscience.mk
e-mail: [email protected]