lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 08 Jun 2020 10:34:12 +0200
From: michele@...cagni.info
To: fulldisclosure@...lists.org
Subject: [FD] RoyalTS SSH Tunnel - Authentication Bypass

RoyalTS SSH Tunnel - Authentication Bypass
===============================================================================

Identifiers
-------------------------------------------------
* CVE-2020-13872


CVSSv3 score
-------------------------------------------------
8.8 - [AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L](
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L&version=3.1
)


Vendor
-------------------------------------------------
RoyalApps - https://www.royalapps.com/


Product
-------------------------------------------------
Royal TS provides powerful, easy and secure access to your remote 
systems.
It's the perfect tool for server admins, system engineers, developers 
and IT focused information workers
who constantly need to access remote systems with different protocols 
(like RDP, VNC, SSH, HTTP/S, and many more.).


Affected versions
-------------------------------------------------
  - All versions prior to RoyalTS v5 for Windows.


Credit
-------------------------------------------------
Michele Toccagni - toccagni.info


Vulnerability summary
-------------------------------------------------
This vulnerability allows a remote attackers to bypass the 
authentication of the tunnel
and gain access to an internal network. The problem is that, once a
SSH tunnel is created on the bridge host with a Secure Gateway, this
tunnel will listen on the address 0.0.0.0 on the port opened ad hoc by
RoyalTS (higher than 50000), leaving the possibility for anyone to
exploit the tunnel without having to authenticate to it.
The attacker could easily bruteforce the ssh/rdp login in the internal 
network, or,
even worse, if the hosts aren't patched, could use some known exploits 
and perform lateral movements.
The vulnerability is fixed in the current major release (Royal TS V5).



Proof of concept
-------------------------------------------------
I wrote a detailed blog post to explain the bug: 
https://hacktips.it/royalts-ssh-tunnel-authentication-bypass/

Solution
-------------------------------------------------
Upgrade to RoyalTS V5 for Windows

Timeline
-------------------------------------------------
Date        | Status
------------|---------------------
04-JUN-2020 | Reported to vendor
04-JUN-2020 | Vendor replied that it's a known bug and it's fixed on the 
last major version
06-JUN-2020 | CVE assigned
08-JUN-2020 | Public disclosure

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists