
17 changes to exploits/shellcodes/ghdb EuroTel ETL3100 - Transmitter Authorization Bypass (IDOR) EuroTel ETL3100 - Transmitter Default Credentials EuroTel ETL3100 - Transmitter Unauthenticated Config/Log Download Color Prediction Game v1.0 - SQL Injection Crypto Currency Tracker (CCT) 9.5 - Admin Account Creation (Unauthenticated) Dolibarr Version 17.0.1 - Stored XSS Global - Multi School Management System Express v1.0- SQL Injection OVOO Movie Portal CMS v3.3.3 - SQL Injection PHPJabbers Business Directory Script v3.2 - Multiple Vulnerabilities Taskhub CRM Tool 2.8.6 - SQL Injection Inosoft VisiWin 7 2022-2.1 - Insecure Folders Permissions TSPlus 16.0.0.0 - Remote Work Insecure Credential storage TSplus 16.0.0.0 - Remote Work Insecure Files and Folders TSplus 16.0.2.14 - Remote Access Insecure Files and Folders Permissions Linux/x64 - memfd_create ELF loader Shellcode (170 bytes)
101 lines
No EOL
4.9 KiB
Text
101 lines
No EOL
4.9 KiB
Text
# Exploit Title: TSplus 16.0.2.14 - Remote Access Insecure Files and Folders Permissions
|
|
# Date: 2023-08-09
|
|
# Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia
|
|
# Vendor Homepage: https://tsplus.net/
|
|
# Version: Up to 16.0.2.14
|
|
# Tested on: Windows
|
|
# CVE : CVE-2023-31067
|
|
|
|
TSplus Remote Access (v. 16.0.2.14) is an alternative to Citrix and
|
|
Microsoft RDS for remote desktop access and Windows application
|
|
delivery. Web-enable your legacy apps, create SaaS solutions or remotely
|
|
access your centralized corporate tools and files.
|
|
The TSplus Remote Access solution comes with an embedded web server to
|
|
allow remote users to easely connect remotely.
|
|
However, insecure file and folder permissions are set and this could
|
|
allow a malicious user to manipulate file content (e.g.: changing the
|
|
code of html pages or js scripts) or change legitimate files (e.g.
|
|
Setup-VirtualPrinter-Client.exe) in order to compromise a system or to
|
|
gain elevated privileges.
|
|
|
|
This is the list of insecure files and folders with their respective
|
|
permissions:
|
|
Everyone:(OI)(CF)(F) and Everyone(F)
|
|
Permission: Everyone:(OI)(CI)(F)
|
|
|
|
C:\Program Files (x86)\TSplus\Clients\www
|
|
C:\Program Files (x86)\TSplus\Clients\www\addons
|
|
C:\Program Files (x86)\TSplus\Clients\www\ConnectionClient
|
|
C:\Program Files (x86)\TSplus\Clients\www\downloads
|
|
C:\Program Files (x86)\TSplus\Clients\www\prints
|
|
C:\Program Files (x86)\TSplus\Clients\www\RemoteAppClient
|
|
C:\Program Files (x86)\TSplus\Clients\www\software
|
|
C:\Program Files (x86)\TSplus\Clients\www\var
|
|
C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\remoteapp
|
|
C:\Program Files (x86)\TSplus\Clients\www\downloads\shared
|
|
C:\Program Files (x86)\TSplus\Clients\www\software\java
|
|
C:\Program Files (x86)\TSplus\Clients\www\software\js
|
|
C:\Program Files (x86)\TSplus\Clients\www\software\html5\jwres
|
|
C:\Program Files (x86)\TSplus\Clients\www\software\html5\locales
|
|
C:\Program Files (x86)\TSplus\Clients\www\software\html5\imgs\topmenu
|
|
C:\Program Files (x86)\TSplus\Clients\www\software\html5\imgs\key\parts
|
|
C:\Program Files (x86)\TSplus\Clients\www\software\java\img
|
|
C:\Program Files (x86)\TSplus\Clients\www\software\java\third
|
|
C:\Program Files (x86)\TSplus\Clients\www\software\java\img\cp
|
|
C:\Program Files (x86)\TSplus\Clients\www\software\java\img\srv
|
|
C:\Program Files (x86)\TSplus\Clients\www\software\java\third\images
|
|
C:\Program Files (x86)\TSplus\Clients\www\software\java\third\js
|
|
C:\Program Files
|
|
(x86)\TSplus\Clients\www\software\java\third\images\bramus
|
|
C:\Program Files
|
|
(x86)\TSplus\Clients\www\software\java\third\js\prototype
|
|
C:\Program Files (x86)\TSplus\Clients\www\var\log
|
|
C:\Program Files (x86)\TSplus\UserDesktop\themes
|
|
C:\Program Files (x86)\TSplus\UserDesktop\themes\BlueBar
|
|
C:\Program Files (x86)\TSplus\UserDesktop\themes\Default
|
|
C:\Program Files (x86)\TSplus\UserDesktop\themes\GreyBar
|
|
C:\Program Files (x86)\TSplus\UserDesktop\themes\Logon
|
|
C:\Program Files (x86)\TSplus\UserDesktop\themes\MenuOnTop
|
|
C:\Program Files (x86)\TSplus\UserDesktop\themes\Seamless
|
|
C:\Program Files (x86)\TSplus\UserDesktop\themes\ThinClient
|
|
C:\Program Files (x86)\TSplus\UserDesktop\themes\Vista
|
|
|
|
------------------------------------------------------------------------------
|
|
|
|
Permission: Everyone:(F)
|
|
|
|
C:\Program Files (x86)\TSplus\Clients\www\all.min.css
|
|
C:\Program Files (x86)\TSplus\Clients\www\custom.css
|
|
C:\Program Files (x86)\TSplus\Clients\www\popins.css
|
|
C:\Program Files (x86)\TSplus\Clients\www\robots.txt
|
|
C:\Program Files
|
|
(x86)\TSplus\Clients\www\addons\Setup-VirtualPrinter-Client.exe
|
|
C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\hb.exe.config
|
|
C:\Program Files
|
|
(x86)\TSplus\Clients\www\cgi-bin\SessionPrelaunch.Common.dll.config
|
|
C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\remoteapp\index.html
|
|
C:\Program Files (x86)\TSplus\Clients\www\RemoteAppClient\index.html
|
|
C:\Program Files (x86)\TSplus\Clients\www\software\common.css
|
|
C:\Program Files
|
|
(x86)\TSplus\Clients\www\software\html5\jwres\jwwebsockify.jar
|
|
C:\Program Files (x86)\TSplus\Clients\www\software\html5\jwres\web.jar
|
|
C:\Program Files
|
|
(x86)\TSplus\Clients\www\software\html5\own\exitlist.html
|
|
C:\Program Files
|
|
(x86)\TSplus\Clients\www\software\html5\own\exitupload.html
|
|
C:\Program Files
|
|
(x86)\TSplus\Clients\www\software\html5\own\getlist.html
|
|
C:\Program Files
|
|
(x86)\TSplus\Clients\www\software\html5\own\getupload.html
|
|
C:\Program Files
|
|
(x86)\TSplus\Clients\www\software\html5\own\postupload.html
|
|
C:\Program Files
|
|
(x86)\TSplus\Clients\www\software\html5\own\uploaderr.html
|
|
C:\Program Files (x86)\TSplus\Clients\www\software\java\index.html
|
|
C:\Program Files (x86)\TSplus\Clients\www\software\java\img\index.html
|
|
C:\Program Files (x86)\TSplus\Clients\www\software\java\img\port.bin
|
|
C:\Program Files (x86)\TSplus\Clients\www\software\java\third\jws.js
|
|
C:\Program Files (x86)\TSplus\Clients\www\software\java\third\sha256.js
|
|
C:\Program Files
|
|
(x86)\TSplus\Clients\www\software\java\third\js\prototype\prototype.js
|
|
C:\Program Files (x86)\TSplus\Clients\www\software\js\jquery.min.js |