0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
RoyalTS SSH Tunnel Authentication Bypass Vulnerability
Author
Risk
[Security Risk High
]0day-ID
Category
Date add
CVE
Platform
RoyalTS SSH Tunnel - Authentication Bypass =============================================================================== Identifiers ------------------------------------------------- * CVE-2020-13872 CVSSv3 score ------------------------------------------------- 8.8 - [AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L]( https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L&version=3.1 ) Vendor ------------------------------------------------- RoyalApps - https://www.royalapps.com/ Product ------------------------------------------------- Royal TS provides powerful, easy and secure access to your remote systems. It's the perfect tool for server admins, system engineers, developers and IT focused information workers who constantly need to access remote systems with different protocols (like RDP, VNC, SSH, HTTP/S, and many more.). Affected versions ------------------------------------------------- - All versions prior to RoyalTS v5 for Windows. Credit ------------------------------------------------- Michele Toccagni - toccagni.info Vulnerability summary ------------------------------------------------- This vulnerability allows a remote attackers to bypass the authentication of the tunnel and gain access to an internal network. The problem is that, once a SSH tunnel is created on the bridge host with a Secure Gateway, this tunnel will listen on the address 0.0.0.0 on the port opened ad hoc by RoyalTS (higher than 50000), leaving the possibility for anyone to exploit the tunnel without having to authenticate to it. The attacker could easily bruteforce the ssh/rdp login in the internal network, or, even worse, if the hosts aren't patched, could use some known exploits and perform lateral movements. The vulnerability is fixed in the current major release (Royal TS V5). Proof of concept ------------------------------------------------- I wrote a detailed blog post to explain the bug: https://hacktips.it/royalts-ssh-tunnel-authentication-bypass/ Solution ------------------------------------------------- Upgrade to RoyalTS V5 for Windows Timeline ------------------------------------------------- Date | Status ------------|--------------------- 04-JUN-2020 | Reported to vendor 04-JUN-2020 | Vendor replied that it's a known bug and it's fixed on the last major version 06-JUN-2020 | CVE assigned 08-JUN-2020 | Public disclosure # 0day.today [2024-07-07] #