e07f33f24d
17 changes to exploits/shellcodes/ghdb EuroTel ETL3100 - Transmitter Authorization Bypass (IDOR) EuroTel ETL3100 - Transmitter Default Credentials EuroTel ETL3100 - Transmitter Unauthenticated Config/Log Download Color Prediction Game v1.0 - SQL Injection Crypto Currency Tracker (CCT) 9.5 - Admin Account Creation (Unauthenticated) Dolibarr Version 17.0.1 - Stored XSS Global - Multi School Management System Express v1.0- SQL Injection OVOO Movie Portal CMS v3.3.3 - SQL Injection PHPJabbers Business Directory Script v3.2 - Multiple Vulnerabilities Taskhub CRM Tool 2.8.6 - SQL Injection Inosoft VisiWin 7 2022-2.1 - Insecure Folders Permissions TSPlus 16.0.0.0 - Remote Work Insecure Credential storage TSplus 16.0.0.0 - Remote Work Insecure Files and Folders TSplus 16.0.2.14 - Remote Access Insecure Files and Folders Permissions Linux/x64 - memfd_create ELF loader Shellcode (170 bytes)
45 lines
No EOL
2.2 KiB
Text
45 lines
No EOL
2.2 KiB
Text
# Exploit Title: TSPlus 16.0.0.0 - Remote Work Insecure Credential storage
|
|
# Date: 2023-08-09
|
|
# Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia
|
|
# Vendor Homepage: https://tsplus.net/
|
|
# Version: Up to 16.0.0.0
|
|
# Tested on: Windows
|
|
# CVE : CVE-2023-31069
|
|
|
|
With TSPlus Remote Work (v. 16.0.0.0) you can create a secure single
|
|
sign-on web portal and remote desktop gateway that enables users to
|
|
remotely access the console session of their office PC.
|
|
It is possible to create a custom web portal login page which allows a
|
|
user to login without providing their credentials.
|
|
However, the credentials are stored in an insecure manner since they are
|
|
saved in cleartext, within the html login page.
|
|
This means that everyone with an access to the web login page, can
|
|
easely retrieve the credentials to access to the application by simply
|
|
looking at the html code page.
|
|
|
|
This is a code snippet extracted by the source code of the login page
|
|
(var user and var pass):
|
|
|
|
// --------------- Access Configuration ---------------
|
|
var user = "Admin"; // Login to use when
|
|
connecting to the remote server (leave "" to use the login typed in this
|
|
page)
|
|
var pass = "SuperSecretPassword"; // Password to use when
|
|
connecting to the remote server (leave "" to use the password typed in
|
|
this page)
|
|
var domain = ""; // Domain to use when
|
|
connecting to the remote server (leave "" to use the domain typed in
|
|
this page)
|
|
var server = "127.0.0.1"; // Server to connect to
|
|
(leave "" to use localhost and/or the server chosen in this page)
|
|
var port = ""; // Port to connect to
|
|
(leave "" to use localhost and/or the port of the server chosen in this
|
|
page)
|
|
var lang = "as_browser"; // Language to use
|
|
var serverhtml5 = "127.0.0.1"; // Server to connect to,
|
|
when using HTML5 client
|
|
var porthtml5 = "3389"; // Port to connect to,
|
|
when using HTML5 client
|
|
var cmdline = ""; // Optional text that will
|
|
be put in the server's clipboard once connected
|
|
// --------------- End of Access Configuration --------------- |