TSplus 16.0.0.0 - Remote Work Insecure Files and Folders Permissions

vendor:

TSplus Remote Work

by:

Carlo Di Dato for Deloitte Risk Advisory Italia

9.8

CVSS

CRITICAL

Insecure Files and Folders Permissions

CWE

Product Name: TSplus Remote Work

Affected Version From: Up to 16.0.0.0

Affected Version To: Up to 16.0.0.0

Patch Exists: NO

Related CWE: CVE-2023-31068

CPE: a:tsplus:tsplus_remote_work:16.0.0.0

Metasploit:

Other Scripts:

Platforms Tested: Windows

2023

TSplus 16.0.0.0 – Remote Work Insecure Files and Folders Permissions

In TSplus Remote Work (v. 16.0.0.0), insecure file and folder permissions are set, allowing a malicious user to manipulate file content or change legitimate files to compromise a system or gain elevated privileges.

Mitigation:

The vendor should update the software to set proper file and folder permissions to prevent unauthorized access and manipulation.

Source

Exploit-DB raw data:

# Exploit Title: TSplus 16.0.0.0 - Remote Work Insecure Files and Folders Permissions
# Date: 2023-08-09
# Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia
# Vendor Homepage: https://tsplus.net/
# Version: Up to 16.0.0.0
# Tested on: Windows
# CVE : CVE-2023-31068

With TSPlus Remote Work (v. 16.0.0.0) you can create a secure single 
sign-on web portal and remote desktop gateway that enables users to 
remotely access the console session of their office PC.
The solution comes with an embedded web server to allow remote users to 
easely connect remotely.
However, insecure file and folder permissions are set, and this could 
allow a malicious user to manipulate file content (e.g.: changing the 
code of html pages or js scripts) or change legitimate files (e.g. 
Setup-RemoteWork-Client.exe) in order to compromise a system or to gain 
elevated privileges.

This is the list of insecure files and folders with their respective 
permissions:

Permission: Everyone:(OI)(CI)(F)

C:\Program Files (x86)\TSplus-RemoteWork\Clients\www
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\downloads
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\prints
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\var
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\remoteapp
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\downloads\shared
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\js
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\html5\locales
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\own
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\des
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\key
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\topmenu
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\key\parts
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\img
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\java\img\cp
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\java\img\srv
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\java\third\images
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\java\third\js
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\java\third\images\bramus
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\java\third\js\prototype
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\var\log

-------------------------------------------------------------------------------------------

Permission: Everyone:(F)

C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\robots.txt
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\cgi-bin\hb.exe.config
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\cgi-bin\SessionPrelaunch.Common.dll.config
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\cgi-bin\remoteapp\index.html
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\common.js
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\lang.js
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\download\Setup-RemoteWork-Client.exe
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres\jwwebsockify.jar
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres\web.jar
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\html5\own\exitlist.html
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\html5\own\exitupload.html
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\java\index.html
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\java\img\index.html
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\java\img\port.bin
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\java\third\jws.js
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\java\third\sha256.js
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\java\third\js\prototype\prototype.js
C:\Program Files 
(x86)\TSplus-RemoteWork\Clients\www\software\js\jquery.min.js