CVE-2018-18865
published 2018-11-20CVE-2018-18865: The Royal browser extensions TS before 4.3.60728 (Release Date 2018-07-28) and TSX before 3.3.1 (Release Date 2018-09-13) allow Credentials Disclosure.
PriorityP356high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
8.00%
94.0th percentile
The Royal browser extensions TS before 4.3.60728 (Release Date 2018-07-28) and TSX before 3.3.1 (Release Date 2018-09-13) allow Credentials Disclosure.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| royalapplications | royal_ts | <= 4.3.60728 | — |
| royalapplications | royal_tsx | <= 3.3.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
command{"Command":"GetDocuments","Arguments":null,"PluginVersion":"1.0.0.0","RequestId":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"}↗
command{"Command":"GetLoginInformation","Arguments":{"CredentialId":"<ID>"},"PluginVersion":"1.0.0.0","RequestId":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"}↗
- →Monitor for WebSocket connections to localhost port 54890, which is the Royal TS/X browser extension's local WebSocket listener; unexpected cross-origin connections to this port indicate exploitation attempts. ↗
- →The exploit checks the 'Unlocked' field in the GetDocuments response to identify documents with accessible credentials before issuing GetLoginInformation; look for rapid sequential WebSocket connections to port 54890 from browser processes. ↗
- →Credentials returned by GetLoginInformation are Base64-encoded in the ResponseData field; monitor for atob() calls on WebSocket response data in browser contexts as a post-exploitation indicator. ↗
- ·The vulnerability affects Royal TS versions before 4.3.60728 (released 2018-07-28) and Royal TSX versions before 3.3.1 (released 2018-09-13); patched versions are not vulnerable to this unauthenticated local WebSocket credential disclosure. ↗
- ·The local WebSocket listener on port 54890 performs no authentication or origin validation, allowing any web page loaded in the browser to issue commands and retrieve stored credentials from unlocked Royal TS/X documents. ↗
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/150136/Royal-TS-X-Information-Disclosure.htmlhttp://seclists.org/fulldisclosure/2018/Nov/25http://seclists.org/fulldisclosure/2018/Nov/4https://www.exploit-db.com/exploits/45783/http://packetstormsecurity.com/files/150136/Royal-TS-X-Information-Disclosure.htmlhttp://seclists.org/fulldisclosure/2018/Nov/25http://seclists.org/fulldisclosure/2018/Nov/4https://www.exploit-db.com/exploits/45783/
2018-11-20
Published