Royaltsx 6.0.1 RTSZ文件处理堆内存损坏POC
vendor:皇家应用GmbH
Web Page: https://www.royalapps.com
受影响的版本: 6.0.1.1000(MACOS)
摘要:皇家TS是系统工程师和
其他需要远程访问系统的IT专业人员
不同的协议。不仅易于使用,还可以安全
多用户文档共享。
DESC:应用程序在RaportCheck.CreatenWConnection()之后接收Sigabrt
功能正在处理特内装的SecureGateWayHost对象。
当主机名的数组约为1600个字节,而测试连接为
单击应用程序立即崩溃。
在: MacOS上测试13.5.1(文图拉)
gjoko“ liquidworm” krstic发现的脆弱性
@Zeroscience
咨询ID: ZSL-2023-5788
咨询URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5788.PHP
05.09.2023
- -
---------------------------------------------------------
翻译报告(下面的完整报告)
---------------------------------------------------------
Process: Royaltsx [23807]
PATH:/applications/Royal tsx.app/contents/macos/royaltsx
dissinefier: com.lemonmojo.royaltsx.app
版本: 6.0.1(6.0.1.1000)
代码类型: x86-64(本机)
parent Process:启动[1]
用户ID: 503
日期/时间: 2023-09-05 16:093:46.6361 +0200
OS版本: MacOS 13.5.1(22G90)
报告版本: 12
桥梁OS版本: 7.6(20P6072)
自boot: 21000秒以来清醒的时间
Wake: 1106秒以来的时间
系统完整性保护:启用了
崩溃的线程: 0 TID_103 DISPATCH QUEUE: com.apple.main-thread
异常类型: EXC_BAD_ACCESS(SIGABRT)
异常代码: kern_invalid_address at0x0000000000000000000005050
异常代码:0x000000000000000000000001,0x000000000000000050
终止原因:名称空间信号,代码6中止陷阱: 6
终止过程: Royaltsx [23807]
VM区域INFO:0x50不在任何区域。在遵循区域之前的字节: 140737488273328
区域类型开始- 端[vsize] prt/max shrmod区域详细信息
一开始未使用的空间
---
共享内存7ffffffec000-7ffffffed000 [4K] R-X/R-X SM=SHM
特定信息信息:
atral()呼叫
线程0崩溃: TID_103 DISPATCH QUEUE: com.apple.main-thread
0 libsystem_kernel.dylib0x7ff809ef7202 __pthread_kill + 10
1 libsystem_pthread.dylib0x7ff809f2eee6 pthread_kill + 263
2 libsystem_c.dylib0x7ff809e55b45中止+ 123
3 libmonosgen-2.0.1.dylib0x1028DAA1B altstack_handle_andle_and_restore + 235
4 libmonosgen-2.0.1.dylib0x102879db6 summarize_frame_frame_internal + 310
5 libmonosgen-2.0.1.dylib0x102879f66 summarize_frame + 198
6 libmonosgen-2.0.1.dylib0x10287578f mono_walk_stack_full + 1135
7 libmonosgen-2.0.1.dylib0x102873944 mono_summarize_managed_stack + 100
8 libmonosgen-2.0.1.dylib0x102a0f478 mono_threads_summarize_execute_internal + 1256
9 libmonosgen-2.0.1.dylib0x102a0f8aa mono_threads_summarize + 346
10 libmonosgen-2.0.1.dylib0x1028e0b67 mono_dump_native_crash_info + 855
11 libmonosgen-2.0.1.dylib0x10287864e mono_handle_handle_native_crash + 318
12 libmonosgen-2.0.1.dylib0x1027d1966 mono_crashing_signal_handler + 86
13 libsystem_platform.dylib0x7ff809f5c5c _sigtramp + 29
14 ?0x101E9502C ?
15 Royaltsxnativeui0x109E50012 RaportCheck.CreatenWConnection() + 290
16 RoyaltsxnativeUI0x109E4F6D2 RaportCheck.connect() + 242
17 RoyalTSXNativeUI0x10a021c70 static RASecureGatewayPropertyPageHelper.testConnection(hostname
ort:logger:localizerarentWindowrogressIndicator:testConnectionButton
+ 592
18 RoyaltsxnativeUI0x10A0B94E7 RapropertypagesEcureGateWayMain.testConnection() + 359
19 RoyaltsxnativeUI0x10A0B9573 @OBJC Rapropertypagesecuregatewaywaymain.buttontontestconnection_action_action(_:) + 51
20 AppKit0x7FF80D29742C- [NSAPPLICATION(NSRESPONDER)SENDATCH :TO3:FROM:] + 323
21 AppKit0x7FF80D2972B0- [NSCONTROL SENDATCH:TO:] + 86
22 AppKit0x7FF80D2971E2 __26- [NSCELL _SENDACTIONFROM:] _BLOCK_INVOKE + 131
23 AppKit0x7FF80D2970EB- [NSCELL _SENDACTIONFROM:] + 171
24 AppKit0x7FF80D297031- [NSBUTTONCELL _SENDACTIONFROM:] + 96
25 AppKit0x7FF80D293EE5 NSCONTROLTRACKMOUSE + 1816
26 AppKit0x7FF80D2937A9- [NSCELL TRACKMOUSE:INRECT:OFVIEW:UNTINTINFITMOUSEUP:] + 121
27 AppKit0x7FF80D29367C- [NSBUTTONCELL TRACKMOUSE :INRECT:OFVIEW3:UNTINTILTITTILFITMOUSEUP:] + 606
28 AppKit0x7FF80D292AC0- [NSCONTROL MOUSEDOWN:] + 659
29 AppKit0x7FF80D290F9D- [NSWINDOW(NSEVENTROUTING)_HANDLEMOUSEDOWNEVENT:ISDELAYEDEDEVENT:] + 4330
30 AppKit0x7FF80D2087D7- [NSWINDOW(NSEVENTROUTING)_REALLYSENDEVENT:ISDELAYEDEVENT:] + 404
31 AppKit0x7FF80D208427- [NSWINDOW(NSEVENTROUTING)SENDEVENT:] + 345
32 AppKit0x7FF80D206E01- [NSAPPLICATION(NSEVENT)SENDEVENT:] + 345
33 AppKit0x7FF80D3413AE- [NSAPPLICATION _DOMODALLOOPEEK:] + 360
34 AppKit0x7FF80D4C2219 __33- [nsapplication runmodalsession:] _block_invoke_2 + 69
35 AppKit0x7FF80D4C21C1 __33- [nsapplication runmodalsession:] _block_invoke + 78
36 AppKit0x7FF80D33F773 _NSTRYRUNMODAL + 100
37 AppKit0x7FF80D4C20BE- [nsapplication runmodalsession:] + 128
38 Royaltsxnativeui0x109f17044 RapropertiesWindowController._showmodal() + 628
39 Royaltsxnativeui0x109f17548 @Objc RapropertiesWindowController._showmodal() + 24
40 Foundation0x7FF80AE84951- [NSObject(NSthReadPerformAdtients)PermorySelector:ONTHREAD:WITHOBJECT:WAITUNTILDONE:MODES:] + 379
41基金会0x7FF80AE84676- [NSObject(nsthreadPerformAdtitions)PerformSelectorOnmainThread:WithObject:WaituntIldOne:] + 124
42 libffi.dylib0x7ff81a5fd8c2 ffi_call_unix64 + 82
43 libffi.dylib0x7ff81a5fd214 ffi_call_int + 830
线程0用X86线程状态(64位):崩溃
rax:0x0000000000000000 rbx:0x00007ff84d608700 rcx:0x00007ff7be10fbc8 rdx:0x0000000000000000
RDI:0x00000000000000103 RSI:0x00000000000000000006 RBP:0x000007FF7BE10FBF0 RSP:0x000000007FF7BE10FBC8
R8:0x00000000000000000212 R9:0x000007FAFAEAF64A8 R10:0x000000000000000000000000000000000000000000000000000246
R12:0x0000000000000000103 R13:0x000007FF7BE110418 R143:0x0000000000000000000000000000000000000001616
RIP:0x00007FF809EF7202 RFL:0x000000000000000246 CR2:0x00007FF84D611068
逻辑CPU: 0
错误代码:0x02000148
陷阱号: 133
线程0指令流:
0f 84 24 01 00 00 49 8B-79 08 4C 89 45 C0 89 4D . $ . I.Y.L.L.E.M.M
D4 48 89 55 C8 4D 89 CC-E8 5D 79 0E 00 48 89 C3 .H.U.M .] Y.H .
4b 8d 7c 3e 04 48 8b 73-30 ba 8c 00 00 00 00 e8 07 K. | .h.s0 .
7F 25 00 4C 8B 45 C0 48-8B 43 58 4B 89 84 3E A0。%。l.e.h.cxk .
00 00 00 41 8B 44 24 04-43 89 84 3E 90 00 00 00 . A.D $ .C .
48 8b 43 38 4b 89 84 3e-a8 00 00 00 00 48 8B 43 60 H.C8K . H.C`
[8B] 40 50 43 89 84 3E B0-00 00 00 8B 43 40 43 89。@PC . c@c@c.==================
84 3E B4 00 00 00 48 8B-45 C8 43 89 84 3E 98 00 . H.E.C .
00 00 8b 45 D4 43 89 84-3e 94 00 00 00 00 00 eb 18 48 . E.C . H
8d 05 80 FF 26 00 E9 96-00 00 00 00 43 C7 84 3E 90 .....
00 00 00 00 ff ff ff ff ff ff ff ff 49-8b 45 10 48 8b 18 41 83 .. i.e.h.a。
38 00 74 24 4B 8D 7C 3E-04 4D 89 C4 E8 69 D8 14 8.T $ k。| .m . i .
二进制图像:
0x101deb000-0x101df6fff com.lemonmojo.royaltsx.app(6.0.1)328845A4-2E68-3C0F-A495-0333AC725BB43/applications/applications/applications/applications/royaltsx.app/papp/compentents/conpentents/contents/contents/contents/mmacos/mmacos/mmacos/mmacos/mmacos/mmacos/mamacsxx
.
.
vendor:皇家应用GmbH
Web Page: https://www.royalapps.com
受影响的版本: 6.0.1.1000(MACOS)
摘要:皇家TS是系统工程师和
其他需要远程访问系统的IT专业人员
不同的协议。不仅易于使用,还可以安全
多用户文档共享。
DESC:应用程序在RaportCheck.CreatenWConnection()之后接收Sigabrt
功能正在处理特内装的SecureGateWayHost对象。
当主机名的数组约为1600个字节,而测试连接为
单击应用程序立即崩溃。
在: MacOS上测试13.5.1(文图拉)
gjoko“ liquidworm” krstic发现的脆弱性
@Zeroscience
咨询ID: ZSL-2023-5788
咨询URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5788.PHP
05.09.2023
- -
---------------------------------------------------------
翻译报告(下面的完整报告)
---------------------------------------------------------
Process: Royaltsx [23807]
PATH:/applications/Royal tsx.app/contents/macos/royaltsx
dissinefier: com.lemonmojo.royaltsx.app
版本: 6.0.1(6.0.1.1000)
代码类型: x86-64(本机)
parent Process:启动[1]
用户ID: 503
日期/时间: 2023-09-05 16:093:46.6361 +0200
OS版本: MacOS 13.5.1(22G90)
报告版本: 12
桥梁OS版本: 7.6(20P6072)
自boot: 21000秒以来清醒的时间
Wake: 1106秒以来的时间
系统完整性保护:启用了
崩溃的线程: 0 TID_103 DISPATCH QUEUE: com.apple.main-thread
异常类型: EXC_BAD_ACCESS(SIGABRT)
异常代码: kern_invalid_address at0x0000000000000000000005050
异常代码:0x000000000000000000000001,0x000000000000000050
终止原因:名称空间信号,代码6中止陷阱: 6
终止过程: Royaltsx [23807]
VM区域INFO:0x50不在任何区域。在遵循区域之前的字节: 140737488273328
区域类型开始- 端[vsize] prt/max shrmod区域详细信息
一开始未使用的空间
---
共享内存7ffffffec000-7ffffffed000 [4K] R-X/R-X SM=SHM
特定信息信息:
atral()呼叫
线程0崩溃: TID_103 DISPATCH QUEUE: com.apple.main-thread
0 libsystem_kernel.dylib0x7ff809ef7202 __pthread_kill + 10
1 libsystem_pthread.dylib0x7ff809f2eee6 pthread_kill + 263
2 libsystem_c.dylib0x7ff809e55b45中止+ 123
3 libmonosgen-2.0.1.dylib0x1028DAA1B altstack_handle_andle_and_restore + 235
4 libmonosgen-2.0.1.dylib0x102879db6 summarize_frame_frame_internal + 310
5 libmonosgen-2.0.1.dylib0x102879f66 summarize_frame + 198
6 libmonosgen-2.0.1.dylib0x10287578f mono_walk_stack_full + 1135
7 libmonosgen-2.0.1.dylib0x102873944 mono_summarize_managed_stack + 100
8 libmonosgen-2.0.1.dylib0x102a0f478 mono_threads_summarize_execute_internal + 1256
9 libmonosgen-2.0.1.dylib0x102a0f8aa mono_threads_summarize + 346
10 libmonosgen-2.0.1.dylib0x1028e0b67 mono_dump_native_crash_info + 855
11 libmonosgen-2.0.1.dylib0x10287864e mono_handle_handle_native_crash + 318
12 libmonosgen-2.0.1.dylib0x1027d1966 mono_crashing_signal_handler + 86
13 libsystem_platform.dylib0x7ff809f5c5c _sigtramp + 29
14 ?0x101E9502C ?
15 Royaltsxnativeui0x109E50012 RaportCheck.CreatenWConnection() + 290
16 RoyaltsxnativeUI0x109E4F6D2 RaportCheck.connect() + 242
17 RoyalTSXNativeUI0x10a021c70 static RASecureGatewayPropertyPageHelper.testConnection(hostname
ort:logger:localizerarentWindowrogressIndicator:testConnectionButton + 59218 RoyaltsxnativeUI0x10A0B94E7 RapropertypagesEcureGateWayMain.testConnection() + 359
19 RoyaltsxnativeUI0x10A0B9573 @OBJC Rapropertypagesecuregatewaywaymain.buttontontestconnection_action_action(_:) + 51
20 AppKit0x7FF80D29742C- [NSAPPLICATION(NSRESPONDER)SENDATCH :TO3:FROM:] + 323
21 AppKit0x7FF80D2972B0- [NSCONTROL SENDATCH:TO:] + 86
22 AppKit0x7FF80D2971E2 __26- [NSCELL _SENDACTIONFROM:] _BLOCK_INVOKE + 131
23 AppKit0x7FF80D2970EB- [NSCELL _SENDACTIONFROM:] + 171
24 AppKit0x7FF80D297031- [NSBUTTONCELL _SENDACTIONFROM:] + 96
25 AppKit0x7FF80D293EE5 NSCONTROLTRACKMOUSE + 1816
26 AppKit0x7FF80D2937A9- [NSCELL TRACKMOUSE:INRECT:OFVIEW:UNTINTINFITMOUSEUP:] + 121
27 AppKit0x7FF80D29367C- [NSBUTTONCELL TRACKMOUSE :INRECT:OFVIEW3:UNTINTILTITTILFITMOUSEUP:] + 606
28 AppKit0x7FF80D292AC0- [NSCONTROL MOUSEDOWN:] + 659
29 AppKit0x7FF80D290F9D- [NSWINDOW(NSEVENTROUTING)_HANDLEMOUSEDOWNEVENT:ISDELAYEDEDEVENT:] + 4330
30 AppKit0x7FF80D2087D7- [NSWINDOW(NSEVENTROUTING)_REALLYSENDEVENT:ISDELAYEDEVENT:] + 404
31 AppKit0x7FF80D208427- [NSWINDOW(NSEVENTROUTING)SENDEVENT:] + 345
32 AppKit0x7FF80D206E01- [NSAPPLICATION(NSEVENT)SENDEVENT:] + 345
33 AppKit0x7FF80D3413AE- [NSAPPLICATION _DOMODALLOOP
EEK:] + 36034 AppKit0x7FF80D4C2219 __33- [nsapplication runmodalsession:] _block_invoke_2 + 69
35 AppKit0x7FF80D4C21C1 __33- [nsapplication runmodalsession:] _block_invoke + 78
36 AppKit0x7FF80D33F773 _NSTRYRUNMODAL + 100
37 AppKit0x7FF80D4C20BE- [nsapplication runmodalsession:] + 128
38 Royaltsxnativeui0x109f17044 RapropertiesWindowController._showmodal() + 628
39 Royaltsxnativeui0x109f17548 @Objc RapropertiesWindowController._showmodal() + 24
40 Foundation0x7FF80AE84951- [NSObject(NSthReadPerformAdtients)PermorySelector:ONTHREAD:WITHOBJECT:WAITUNTILDONE:MODES:] + 379
41基金会0x7FF80AE84676- [NSObject(nsthreadPerformAdtitions)PerformSelectorOnmainThread:WithObject:WaituntIldOne:] + 124
42 libffi.dylib0x7ff81a5fd8c2 ffi_call_unix64 + 82
43 libffi.dylib0x7ff81a5fd214 ffi_call_int + 830
线程0用X86线程状态(64位):崩溃
rax:0x0000000000000000 rbx:0x00007ff84d608700 rcx:0x00007ff7be10fbc8 rdx:0x0000000000000000
RDI:0x00000000000000103 RSI:0x00000000000000000006 RBP:0x000007FF7BE10FBF0 RSP:0x000000007FF7BE10FBC8
R8:0x00000000000000000212 R9:0x000007FAFAEAF64A8 R10:0x000000000000000000000000000000000000000000000000000246
R12:0x0000000000000000103 R13:0x000007FF7BE110418 R143:0x0000000000000000000000000000000000000001616
RIP:0x00007FF809EF7202 RFL:0x000000000000000246 CR2:0x00007FF84D611068
逻辑CPU: 0
错误代码:0x02000148
陷阱号: 133
线程0指令流:
0f 84 24 01 00 00 49 8B-79 08 4C 89 45 C0 89 4D . $ . I.Y.L.L.E.M.M
D4 48 89 55 C8 4D 89 CC-E8 5D 79 0E 00 48 89 C3 .H.U.M .] Y.H .
4b 8d 7c 3e 04 48 8b 73-30 ba 8c 00 00 00 00 e8 07 K. | .h.s0 .
7F 25 00 4C 8B 45 C0 48-8B 43 58 4B 89 84 3E A0。%。l.e.h.cxk .
00 00 00 41 8B 44 24 04-43 89 84 3E 90 00 00 00 . A.D $ .C .
48 8b 43 38 4b 89 84 3e-a8 00 00 00 00 48 8B 43 60 H.C8K . H.C`
[8B] 40 50 43 89 84 3E B0-00 00 00 8B 43 40 43 89。@PC . c@c@c.==================
84 3E B4 00 00 00 48 8B-45 C8 43 89 84 3E 98 00 . H.E.C .
00 00 8b 45 D4 43 89 84-3e 94 00 00 00 00 00 eb 18 48 . E.C . H
8d 05 80 FF 26 00 E9 96-00 00 00 00 43 C7 84 3E 90 .....
00 00 00 00 ff ff ff ff ff ff ff ff 49-8b 45 10 48 8b 18 41 83 .. i.e.h.a。
38 00 74 24 4B 8D 7C 3E-04 4D 89 C4 E8 69 D8 14 8.T $ k。| .m . i .
二进制图像:
0x101deb000-0x101df6fff com.lemonmojo.royaltsx.app(6.0.1)328845A4-2E68-3C0F-A495-0333AC725BB43/applications/applications/applications/applications/royaltsx.app/papp/compentents/conpentents/contents/contents/contents/mmacos/mmacos/mmacos/mmacos/mmacos/mmacos/mamacsxx
.
.