RoyalTSX 6.0.1 – RTSZ File Handling Heap Memory Corruption PoC

• Exploit Database
• 46 阅读

• 作者： LiquidWorm
  日期： 2024-01-31
• 类别：

  • remote
  平台：

  • macos
• 来源：https://www.exploit-db.com/exploits/51764/

• RoyalTSX 6.0.1 RTSZ File Handling Heap Memory Corruption PoC
  
  
  Vendor: Royal Apps GmbH
  Web page: https://www.royalapps.com
  Affected version: 6.0.1.1000 (macOS)
  
  Summary: Royal TS is an ideal tool for system engineers and
  other IT professionals who need remote access to systems with
  different protocols. Not only easy to use, it enables secure
  multi-user document sharing.
  
  Desc: The application receives SIGABRT after RAPortCheck.createNWConnection()
  function is handling the SecureGatewayHost object in the RoyalTSXNativeUI.
  When the hostname has an array of around 1600 bytes and Test Connection is
  clicked the app crashes instantly.
  
  Tested on: MacOS 13.5.1 (Ventura)
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2023-5788
  Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5788.php
  
  
  05.09.2023
  
  --
  
  
  -------------------------------------
  Translated Report (Full Report Below)
  -------------------------------------
  
  Process: RoyalTSX [23807]
  Path:/Applications/Royal TSX.app/Contents/MacOS/RoyalTSX
  Identifier:com.lemonmojo.RoyalTSX.App
  Version: 6.0.1 (6.0.1.1000)
  Code Type: X86-64 (Native)
  Parent Process:launchd [1]
  User ID: 503
  
  Date/Time: 2023-09-05 16:09:46.6361 +0200
  OS Version:macOS 13.5.1 (22G90)
  Report Version:12
  Bridge OS Version: 7.6 (20P6072)
  
  Time Awake Since Boot: 21000 seconds
  Time Since Wake: 1106 seconds
  
  System Integrity Protection: enabled
  
  Crashed Thread:0tid_103Dispatch queue: com.apple.main-thread
  
  Exception Type:EXC_BAD_ACCESS (SIGABRT)
  Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000050
  Exception Codes: 0x0000000000000001, 0x0000000000000050
  
  Termination Reason:Namespace SIGNAL, Code 6 Abort trap: 6
  Terminating Process: RoyalTSX [23807]
  
  VM Region Info: 0x50 is not in any region.Bytes before following region: 140737488273328
  REGION TYPESTART - END [ VSIZE] PRT/MAX SHRMODREGION DETAIL
  UNUSED SPACE AT START
  --->
  shared memory7ffffffec000-7ffffffed000 [4K] r-x/r-x SM=SHM
  
  Application Specific Information:
  abort() called
  
  
  Thread 0 Crashed:: tid_103 Dispatch queue: com.apple.main-thread
  0 libsystem_kernel.dylib	0x7ff809ef7202 __pthread_kill + 10
  1 libsystem_pthread.dylib 	0x7ff809f2eee6 pthread_kill + 263
  2 libsystem_c.dylib 	0x7ff809e55b45 abort + 123
  3 libmonosgen-2.0.1.dylib 	 0x1028daa1b altstack_handle_and_restore + 235
  4 libmonosgen-2.0.1.dylib 	 0x102879db6 summarize_frame_internal + 310
  5 libmonosgen-2.0.1.dylib 	 0x102879f66 summarize_frame + 198
  6 libmonosgen-2.0.1.dylib 	 0x10287578f mono_walk_stack_full + 1135
  7 libmonosgen-2.0.1.dylib 	 0x102873944 mono_summarize_managed_stack + 100
  8 libmonosgen-2.0.1.dylib 	 0x102a0f478 mono_threads_summarize_execute_internal + 1256
  9 libmonosgen-2.0.1.dylib 	 0x102a0f8aa mono_threads_summarize + 346
  10libmonosgen-2.0.1.dylib 	 0x1028e0b67 mono_dump_native_crash_info + 855
  11libmonosgen-2.0.1.dylib 	 0x10287864e mono_handle_native_crash + 318
  12libmonosgen-2.0.1.dylib 	 0x1027d1966 mono_crashing_signal_handler + 86
  13libsystem_platform.dylib	0x7ff809f5c5ed _sigtramp + 29
  14??? 	 0x101e9502c ???
  15RoyalTSXNativeUI	 0x109e50012 RAPortCheck.createNWConnection() + 290
  16RoyalTSXNativeUI	 0x109e4f6d2 RAPortCheck.connect() + 242
  17RoyalTSXNativeUI	 0x10a021c70 static RASecureGatewayPropertyPageHelper.testConnection(hostname:port:logger:localizer:parentWindow:progressIndicator:testConnectionButton:) + 592
  18RoyalTSXNativeUI	 0x10a0b94e7 RAPropertyPageSecureGatewayMain.testConnection() + 359
  19RoyalTSXNativeUI	 0x10a0b9573 @objc RAPropertyPageSecureGatewayMain.buttonTestConnection_action(_:) + 51
  20AppKit	0x7ff80d29742c -[NSApplication(NSResponder) sendAction:to:from:] + 323
  21AppKit	0x7ff80d2972b0 -[NSControl sendAction:to:] + 86
  22AppKit	0x7ff80d2971e2 __26-[NSCell _sendActionFrom:]_block_invoke + 131
  23AppKit	0x7ff80d2970eb -[NSCell _sendActionFrom:] + 171
  24AppKit	0x7ff80d297031 -[NSButtonCell _sendActionFrom:] + 96
  25AppKit	0x7ff80d293ee5 NSControlTrackMouse + 1816
  26AppKit	0x7ff80d2937a9 -[NSCell trackMouse:inRect:ofView:untilMouseUp:] + 121
  27AppKit	0x7ff80d29367c -[NSButtonCell trackMouse:inRect:ofView:untilMouseUp:] + 606
  28AppKit	0x7ff80d292ac0 -[NSControl mouseDown:] + 659
  29AppKit	0x7ff80d290f9d -[NSWindow(NSEventRouting) _handleMouseDownEvent:isDelayedEvent:] + 4330
  30AppKit	0x7ff80d2087d7 -[NSWindow(NSEventRouting) _reallySendEvent:isDelayedEvent:] + 404
  31AppKit	0x7ff80d208427 -[NSWindow(NSEventRouting) sendEvent:] + 345
  32AppKit	0x7ff80d206e01 -[NSApplication(NSEvent) sendEvent:] + 345
  33AppKit	0x7ff80d3413ae -[NSApplication _doModalLoop:peek:] + 360
  34AppKit	0x7ff80d4c2219 __33-[NSApplication runModalSession:]_block_invoke_2 + 69
  35AppKit	0x7ff80d4c21c1 __33-[NSApplication runModalSession:]_block_invoke + 78
  36AppKit	0x7ff80d33f773 _NSTryRunModal + 100
  37AppKit	0x7ff80d4c20be -[NSApplication runModalSession:] + 128
  38RoyalTSXNativeUI	 0x109f17044 RAPropertiesWindowController._showModal() + 628
  39RoyalTSXNativeUI	 0x109f17548 @objc RAPropertiesWindowController._showModal() + 24
  40Foundation	0x7ff80ae84951 -[NSObject(NSThreadPerformAdditions) performSelector:onThread:withObject:waitUntilDone:modes:] + 379
  41Foundation	0x7ff80ae84676 -[NSObject(NSThreadPerformAdditions) performSelectorOnMainThread:withObject:waitUntilDone:] + 124
  42libffi.dylib	0x7ff81a5fd8c2 ffi_call_unix64 + 82
  43libffi.dylib	0x7ff81a5fd214 ffi_call_int + 830
  
  Thread 0 crashed with X86 Thread State (64-bit):
  rax: 0x0000000000000000rbx: 0x00007ff84d608700rcx: 0x00007ff7be10fbc8rdx: 0x0000000000000000
  rdi: 0x0000000000000103rsi: 0x0000000000000006rbp: 0x00007ff7be10fbf0rsp: 0x00007ff7be10fbc8
   r8: 0x0000000000000212 r9: 0x00007fafaeaf64a8r10: 0x0000000000000000r11: 0x0000000000000246
  r12: 0x0000000000000103r13: 0x00007ff7be110418r14: 0x0000000000000006r15: 0x0000000000000016
  rip: 0x00007ff809ef7202rfl: 0x0000000000000246cr2: 0x00007ff84d611068
  
  Logical CPU: 0
  Error Code:0x02000148 
  Trap Number: 133
  
  Thread 0 instruction stream:
  0f 84 24 01 00 00 49 8b-79 08 4c 89 45 c0 89 4d..$...I.y.L.E..M
  d4 48 89 55 c8 4d 89 cc-e8 5d 79 0e 00 48 89 c3.H.U.M...]y..H..
  4b 8d 7c 3e 04 48 8b 73-30 ba 8c 00 00 00 e8 07K.|>.H.s0.......
  7f 25 00 4c 8b 45 c0 48-8b 43 58 4b 89 84 3e a0.%.L.E.H.CXK..>.
  00 00 00 41 8b 44 24 04-43 89 84 3e 90 00 00 00...A.D$.C..>....
  48 8b 43 38 4b 89 84 3e-a8 00 00 00 48 8b 43 60H.C8K..>....H.C`
   [8b]40 50 43 89 84 3e b0-00 00 00 8b 43 40 43 89.@PC..>.....C@C.	<==
  84 3e b4 00 00 00 48 8b-45 c8 43 89 84 3e 98 00.>....H.E.C..>..
  00 00 8b 45 d4 43 89 84-3e 94 00 00 00 eb 18 48...E.C..>......H
  8d 05 80 ff 26 00 e9 96-00 00 00 43 c7 84 3e 90....&......C..>.
  00 00 00 ff ff ff ff 49-8b 45 10 48 8b 18 41 83.......I.E.H..A.
  38 00 74 24 4b 8d 7c 3e-04 4d 89 c4 e8 69 d8 148.t$K.|>.M...i..
  
  Binary Images:
   0x101deb000 -0x101df6fff com.lemonmojo.RoyalTSX.App (6.0.1) <328845a4-2e68-3c0f-a495-033ac725bb43> /Applications/Royal TSX.app/Contents/MacOS/RoyalTSX
  ...
  ...