zeroscience
ZSL Bot v4.89.1.00
Код:
RoyalTSX 6.0.1 RTSZ File Handling Heap Memory Corruption PoC
Vendor: Royal Apps GmbH
Web page: https://www.royalapps.com
Affected version: 6.0.1.1000 (macOS)
Summary: Royal TS is an ideal tool for system engineers and
other IT professionals who need remote access to systems with
different protocols. Not only easy to use, it enables secure
multi-user document sharing.
Desc: The application receives SIGABRT after RAPortCheck.createNWConnection()
function is handling the SecureGatewayHost object in the RoyalTSXNativeUI.
When the hostname has an array of around 1600 bytes and Test Connection is
clicked the app crashes instantly.
Tested on: MacOS 13.5.1 (Ventura)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5788
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5788.php
05.09.2023
--
-------------------------------------
Translated Report (Full Report Below)
-------------------------------------
Process: RoyalTSX [23807]
Path: /Applications/Royal TSX.app/Contents/MacOS/RoyalTSX
Identifier: com.lemonmojo.RoyalTSX.App
Version: 6.0.1 (6.0.1.1000)
Code Type: X86-64 (Native)
Parent Process: launchd [1]
User ID: 503
Date/Time: 2023-09-05 16:09:46.6361 +0200
OS Version: macOS 13.5.1 (22G90)
Report Version: 12
Bridge OS Version: 7.6 (20P6072)
Time Awake Since Boot: 21000 seconds
Time Since Wake: 1106 seconds
System Integrity Protection: enabled
Crashed Thread: 0 tid_103 Dispatch queue: com.apple.main-thread
Exception Type: EXC_BAD_ACCESS (SIGABRT)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000050
Exception Codes: 0x0000000000000001, 0x0000000000000050
Termination Reason: Namespace SIGNAL, Code 6 Abort trap: 6
Terminating Process: RoyalTSX [23807]
VM Region Info: 0x50 is not in any region. Bytes before following region: 140737488273328
REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL
UNUSED SPACE AT START
--->
shared memory 7ffffffec000-7ffffffed000 [ 4K] r-x/r-x SM=SHM
Application Specific Information:
abort() called
Thread 0 Crashed:: tid_103 Dispatch queue: com.apple.main-thread
0 libsystem_kernel.dylib 0x7ff809ef7202 __pthread_kill + 10
1 libsystem_pthread.dylib 0x7ff809f2eee6 pthread_kill + 263
2 libsystem_c.dylib 0x7ff809e55b45 abort + 123
3 libmonosgen-2.0.1.dylib 0x1028daa1b altstack_handle_and_restore + 235
4 libmonosgen-2.0.1.dylib 0x102879db6 summarize_frame_internal + 310
5 libmonosgen-2.0.1.dylib 0x102879f66 summarize_frame + 198
6 libmonosgen-2.0.1.dylib 0x10287578f mono_walk_stack_full + 1135
7 libmonosgen-2.0.1.dylib 0x102873944 mono_summarize_managed_stack + 100
8 libmonosgen-2.0.1.dylib 0x102a0f478 mono_threads_summarize_execute_internal + 1256
9 libmonosgen-2.0.1.dylib 0x102a0f8aa mono_threads_summarize + 346
10 libmonosgen-2.0.1.dylib 0x1028e0b67 mono_dump_native_crash_info + 855
11 libmonosgen-2.0.1.dylib 0x10287864e mono_handle_native_crash + 318
12 libmonosgen-2.0.1.dylib 0x1027d1966 mono_crashing_signal_handler + 86
13 libsystem_platform.dylib 0x7ff809f5c5ed _sigtramp + 29
14 ??? 0x101e9502c ???
15 RoyalTSXNativeUI 0x109e50012 RAPortCheck.createNWConnection() + 290
16 RoyalTSXNativeUI 0x109e4f6d2 RAPortCheck.connect() + 242
17 RoyalTSXNativeUI 0x10a021c70 static RASecureGatewayPropertyPageHelper.testConnection(hostname:port:logger:localizer:parentWindow:progressIndicator:testConnectionButton:) + 592
18 RoyalTSXNativeUI 0x10a0b94e7 RAPropertyPageSecureGatewayMain.testConnection() + 359
19 RoyalTSXNativeUI 0x10a0b9573 @objc RAPropertyPageSecureGatewayMain.buttonTestConnection_action(_:) + 51
20 AppKit 0x7ff80d29742c -[NSApplication(NSResponder) sendAction:to:from:] + 323
21 AppKit 0x7ff80d2972b0 -[NSControl sendAction:to:] + 86
22 AppKit 0x7ff80d2971e2 __26-[NSCell _sendActionFrom:]_block_invoke + 131
23 AppKit 0x7ff80d2970eb -[NSCell _sendActionFrom:] + 171
24 AppKit 0x7ff80d297031 -[NSButtonCell _sendActionFrom:] + 96
25 AppKit 0x7ff80d293ee5 NSControlTrackMouse + 1816
26 AppKit 0x7ff80d2937a9 -[NSCell trackMouse:inRect:ofView:untilMouseUp:] + 121
27 AppKit 0x7ff80d29367c -[NSButtonCell trackMouse:inRect:ofView:untilMouseUp:] + 606
28 AppKit 0x7ff80d292ac0 -[NSControl mouseDown:] + 659
29 AppKit 0x7ff80d290f9d -[NSWindow(NSEventRouting) _handleMouseDownEvent:isDelayedEvent:] + 4330
30 AppKit 0x7ff80d2087d7 -[NSWindow(NSEventRouting) _reallySendEvent:isDelayedEvent:] + 404
31 AppKit 0x7ff80d208427 -[NSWindow(NSEventRouting) sendEvent:] + 345
32 AppKit 0x7ff80d206e01 -[NSApplication(NSEvent) sendEvent:] + 345
33 AppKit 0x7ff80d3413ae -[NSApplication _doModalLoop:peek:] + 360
34 AppKit 0x7ff80d4c2219 __33-[NSApplication runModalSession:]_block_invoke_2 + 69
35 AppKit 0x7ff80d4c21c1 __33-[NSApplication runModalSession:]_block_invoke + 78
36 AppKit 0x7ff80d33f773 _NSTryRunModal + 100
37 AppKit 0x7ff80d4c20be -[NSApplication runModalSession:] + 128
38 RoyalTSXNativeUI 0x109f17044 RAPropertiesWindowController._showModal() + 628
39 RoyalTSXNativeUI 0x109f17548 @objc RAPropertiesWindowController._showModal() + 24
40 Foundation 0x7ff80ae84951 -[NSObject(NSThreadPerformAdditions) performSelector:onThread:withObject:waitUntilDone:modes:] + 379
41 Foundation 0x7ff80ae84676 -[NSObject(NSThreadPerformAdditions) performSelectorOnMainThread:withObject:waitUntilDone:] + 124
42 libffi.dylib 0x7ff81a5fd8c2 ffi_call_unix64 + 82
43 libffi.dylib 0x7ff81a5fd214 ffi_call_int + 830
Thread 0 crashed with X86 Thread State (64-bit):
rax: 0x0000000000000000 rbx: 0x00007ff84d608700 rcx: 0x00007ff7be10fbc8 rdx: 0x0000000000000000
rdi: 0x0000000000000103 rsi: 0x0000000000000006 rbp: 0x00007ff7be10fbf0 rsp: 0x00007ff7be10fbc8
r8: 0x0000000000000212 r9: 0x00007fafaeaf64a8 r10: 0x0000000000000000 r11: 0x0000000000000246
r12: 0x0000000000000103 r13: 0x00007ff7be110418 r14: 0x0000000000000006 r15: 0x0000000000000016
rip: 0x00007ff809ef7202 rfl: 0x0000000000000246 cr2: 0x00007ff84d611068
Logical CPU: 0
Error Code: 0x02000148
Trap Number: 133
Thread 0 instruction stream:
0f 84 24 01 00 00 49 8b-79 08 4c 89 45 c0 89 4d ..$...I.y.L.E..M
d4 48 89 55 c8 4d 89 cc-e8 5d 79 0e 00 48 89 c3 .H.U.M...]y..H..
4b 8d 7c 3e 04 48 8b 73-30 ba 8c 00 00 00 e8 07 K.|>.H.s0.......
7f 25 00 4c 8b 45 c0 48-8b 43 58 4b 89 84 3e a0 .%.L.E.H.CXK..>.
00 00 00 41 8b 44 24 04-43 89 84 3e 90 00 00 00 ...A.D$.C..>....
48 8b 43 38 4b 89 84 3e-a8 00 00 00 48 8b 43 60 H.C8K..>....H.C`
[8b]40 50 43 89 84 3e b0-00 00 00 8b 43 40 43 89 .@PC..>.....C@C. <==
84 3e b4 00 00 00 48 8b-45 c8 43 89 84 3e 98 00 .>....H.E.C..>..
00 00 8b 45 d4 43 89 84-3e 94 00 00 00 eb 18 48 ...E.C..>......H
8d 05 80 ff 26 00 e9 96-00 00 00 43 c7 84 3e 90 ....&......C..>.
00 00 00 ff ff ff ff 49-8b 45 10 48 8b 18 41 83 .......I.E.H..A.
38 00 74 24 4b 8d 7c 3e-04 4d 89 c4 e8 69 d8 14 8.t$K.|>.M...i..
Binary Images:
0x101deb000 - 0x101df6fff com.lemonmojo.RoyalTSX.App (6.0.1) <328845a4-2e68-3c0f-a495-033ac725bb43> /Applications/Royal TSX.app/Contents/MacOS/RoyalTSX
...
...Zero Science Lab » RoyalTSX 6.0.1 RTSZ File Handling Heap Memory Corruption PoC
Македонска лабораторија за истражување и развој на информациска безбедност
www.zeroscience.mk
