RoyalTSX 6.0.1 RTSZ File Handling Heap Memory Corruption PoC

Title: RoyalTSX 6.0.1 RTSZ File Handling Heap Memory Corruption PoC
Advisory ID: ZSL-2023-5788
Type: Local/Remote
Impact: System Access, DoS
Risk: (3/5)
Release Date: 22.09.2023

Summary

Royal TS is an ideal tool for system engineers and other IT professionals who need remote access to systems with different protocols. Not only easy to use, it enables secure multi-user document sharing.

Description

The application receives SIGABRT after RAPortCheck.createNWConnection() function is handling the SecureGatewayHost object in the RoyalTSXNativeUI. When the hostname has an array of around 1600 bytes and Test Connection is clicked the app crashes instantly.

Vendor

Royal Apps GmbH - https://www.royalapps.com

Affected Version

6.0.1.1000 (macOS)

Tested On

MacOS 13.5.1 (Ventura)

Vendor Status

[05.09.2023] Vulnerability discovered.
[07.09.2023] Sent crash report to the vendor.
[08.09.2023] Vendor responds asking more details.
[08.09.2023] Sent details to vendor.
[11.09.2023] Working with the vendor.
[11.09.2023] Vendor confirms this is a bug in the RotalTSX’s Swift wrapper for Apple’s Network framework. The fix will be included in the next upcoming minor update.
[12.09.2023] Replied to the vendor.
[22.09.2023] Vendor releases beta version 6.0.2.1 to address this issue.
[22.09.2023] Replied to the vendor.
[22.09.2023] Coordinated public security advisory released.

PoC

royaltsx_mem.txt
royaltsx_poc.rar

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>
High five to Felix!

References

[1] https://support.royalapps.com/support/solutions/articles/17000027755
[2] https://developer.apple.com/documentation/network/nwendpoint/hostport_host_port
[3] https://developer.apple.com/documentation/network/2976720-nw_endpoint_create_host

Changelog

[22.09.2023] - Initial release

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: [email protected]