TSplus 16.0.2.14 - Remote Access Insecure Files and Folders Permissions

Exploit Author: shinnai Analysis Author: www.bubbleslearn.ir Category: Remote Language: Shell Published Date: 2023-08-21

# Exploit Title: TSplus 16.0.2.14 - Remote Access Insecure Files and Folders Permissions
# Date: 2023-08-09
# Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia
# Vendor Homepage: https://tsplus.net/
# Version: Up to 16.0.2.14
# Tested on: Windows
# CVE : CVE-2023-31067

TSplus Remote Access (v. 16.0.2.14) is an alternative to Citrix and 
Microsoft RDS for remote desktop access and Windows application 
delivery. Web-enable your legacy apps, create SaaS solutions or remotely 
access your centralized corporate tools and files.
The TSplus Remote Access solution comes with an embedded web server to 
allow remote users to easely connect remotely.
However, insecure file and folder permissions are set and this could 
allow a malicious user to manipulate file content (e.g.: changing the 
code of html pages or js scripts) or change legitimate files (e.g. 
Setup-VirtualPrinter-Client.exe) in order to compromise a system or to 
gain elevated privileges.

This is the list of insecure files and folders with their respective 
permissions:
Everyone:(OI)(CF)(F) and Everyone(F)
Permission: Everyone:(OI)(CI)(F)

C:\Program Files (x86)\TSplus\Clients\www
C:\Program Files (x86)\TSplus\Clients\www\addons
C:\Program Files (x86)\TSplus\Clients\www\ConnectionClient
C:\Program Files (x86)\TSplus\Clients\www\downloads
C:\Program Files (x86)\TSplus\Clients\www\prints
C:\Program Files (x86)\TSplus\Clients\www\RemoteAppClient
C:\Program Files (x86)\TSplus\Clients\www\software
C:\Program Files (x86)\TSplus\Clients\www\var
C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\remoteapp
C:\Program Files (x86)\TSplus\Clients\www\downloads\shared
C:\Program Files (x86)\TSplus\Clients\www\software\java
C:\Program Files (x86)\TSplus\Clients\www\software\js
C:\Program Files (x86)\TSplus\Clients\www\software\html5\jwres
C:\Program Files (x86)\TSplus\Clients\www\software\html5\locales
C:\Program Files (x86)\TSplus\Clients\www\software\html5\imgs\topmenu
C:\Program Files (x86)\TSplus\Clients\www\software\html5\imgs\key\parts
C:\Program Files (x86)\TSplus\Clients\www\software\java\img
C:\Program Files (x86)\TSplus\Clients\www\software\java\third
C:\Program Files (x86)\TSplus\Clients\www\software\java\img\cp
C:\Program Files (x86)\TSplus\Clients\www\software\java\img\srv
C:\Program Files (x86)\TSplus\Clients\www\software\java\third\images
C:\Program Files (x86)\TSplus\Clients\www\software\java\third\js
C:\Program Files 
(x86)\TSplus\Clients\www\software\java\third\images\bramus
C:\Program Files 
(x86)\TSplus\Clients\www\software\java\third\js\prototype
C:\Program Files (x86)\TSplus\Clients\www\var\log
C:\Program Files (x86)\TSplus\UserDesktop\themes
C:\Program Files (x86)\TSplus\UserDesktop\themes\BlueBar
C:\Program Files (x86)\TSplus\UserDesktop\themes\Default
C:\Program Files (x86)\TSplus\UserDesktop\themes\GreyBar
C:\Program Files (x86)\TSplus\UserDesktop\themes\Logon
C:\Program Files (x86)\TSplus\UserDesktop\themes\MenuOnTop
C:\Program Files (x86)\TSplus\UserDesktop\themes\Seamless
C:\Program Files (x86)\TSplus\UserDesktop\themes\ThinClient
C:\Program Files (x86)\TSplus\UserDesktop\themes\Vista

------------------------------------------------------------------------------

Permission: Everyone:(F)

C:\Program Files (x86)\TSplus\Clients\www\all.min.css
C:\Program Files (x86)\TSplus\Clients\www\custom.css
C:\Program Files (x86)\TSplus\Clients\www\popins.css
C:\Program Files (x86)\TSplus\Clients\www\robots.txt
C:\Program Files 
(x86)\TSplus\Clients\www\addons\Setup-VirtualPrinter-Client.exe
C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\hb.exe.config
C:\Program Files 
(x86)\TSplus\Clients\www\cgi-bin\SessionPrelaunch.Common.dll.config
C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\remoteapp\index.html
C:\Program Files (x86)\TSplus\Clients\www\RemoteAppClient\index.html
C:\Program Files (x86)\TSplus\Clients\www\software\common.css
C:\Program Files 
(x86)\TSplus\Clients\www\software\html5\jwres\jwwebsockify.jar
C:\Program Files (x86)\TSplus\Clients\www\software\html5\jwres\web.jar
C:\Program Files 
(x86)\TSplus\Clients\www\software\html5\own\exitlist.html
C:\Program Files 
(x86)\TSplus\Clients\www\software\html5\own\exitupload.html
C:\Program Files 
(x86)\TSplus\Clients\www\software\html5\own\getlist.html
C:\Program Files 
(x86)\TSplus\Clients\www\software\html5\own\getupload.html
C:\Program Files 
(x86)\TSplus\Clients\www\software\html5\own\postupload.html
C:\Program Files 
(x86)\TSplus\Clients\www\software\html5\own\uploaderr.html
C:\Program Files (x86)\TSplus\Clients\www\software\java\index.html
C:\Program Files (x86)\TSplus\Clients\www\software\java\img\index.html
C:\Program Files (x86)\TSplus\Clients\www\software\java\img\port.bin
C:\Program Files (x86)\TSplus\Clients\www\software\java\third\jws.js
C:\Program Files (x86)\TSplus\Clients\www\software\java\third\sha256.js
C:\Program Files 
(x86)\TSplus\Clients\www\software\java\third\js\prototype\prototype.js
C:\Program Files (x86)\TSplus\Clients\www\software\js\jquery.min.js

TSplus 16.0.2.14: Critical Security Flaw in Remote Access File Permissions

TSplus, a popular alternative to Citrix and Microsoft Remote Desktop Services (RDS), enables organizations to securely deliver legacy applications and centralized corporate tools via a web-based interface. While its ease of deployment and scalability make it attractive for SaaS and remote work environments, a critical vulnerability discovered in version 16.0.2.14 exposes a significant security risk: insecure file and folder permissions.

Identified by Carlo Di Dato of Deloitte Risk Advisory Italia and assigned CVE-2023-31067, this flaw allows unauthenticated or low-privileged users to manipulate sensitive system files—potentially leading to code injection, privilege escalation, or full system compromise.

Root Cause: Overly Permissive File System Permissions

The core issue lies in the default file and folder permissions set within the TSplus installation directory. Specifically, the following directories and subdirectories are accessible to Everyone with full write and read rights:

C:\Program Files (x86)\TSplus\Clients\www
C:\Program Files (x86)\TSplus\Clients\www\addons
C:\Program Files (x86)\TSplus\Clients\www\ConnectionClient
C:\Program Files (x86)\TSplus\Clients\www\downloads
C:\Program Files (x86)\TSplus\Clients\www\prints
C:\Program Files (x86)\TSplus\Clients\www\RemoteAppClient
C:\Program Files (x86)\TSplus\Clients\www\software
C:\Program Files (x86)\TSplus\Clients\www\var
C:\Program Files (x86)\TSplus\UserDesktop\themes

These permissions are defined as:


Everyone:(OI)(CF)(F)
Everyone:(OI)(CI)(F)

Here’s what these access control entries mean:

OI = Object Inherit — permissions apply to subfolders and files.
CF = Container File — grants full control over the container (folder).
F = Full Access — allows read, write, delete, and modify.
CI = Child Inherit — permissions are inherited by child objects.

Essentially, any user—authenticated or not—can modify, delete, or replace files in these directories. This is a severe violation of the principle of least privilege and opens the door to multiple attack vectors.

Exploitation Scenarios and Real-World Impact

Attackers can exploit this vulnerability in several ways:

1. Web-Based Code Injection

By modifying HTML or JavaScript files in Clients\www\software\html5 or Clients\www\cgi-bin\remoteapp, an attacker can inject malicious scripts that execute in the user’s browser when accessing remote applications. This could lead to:

Session hijacking
Cross-site scripting (XSS)
Phishing payloads
Stealing credentials via JavaScript-based keyloggers

For example, an attacker could replace a legitimate login.js file with a malicious version that logs user credentials and sends them to an external server.

2. Malicious Client Executable Replacement

One of the most dangerous attack vectors involves replacing the Setup-VirtualPrinter-Client.exe file in the downloads directory.

Since this executable is downloaded and executed by users during remote access setup, a malicious version could:

Install persistent backdoors
Execute arbitrary commands
Disable security software
Establish reverse shells

Even if the file is digitally signed, a compromised installation process can bypass verification if the file is modified on the server before download.

3. Theme and UI Manipulation

By altering files in UserDesktop\themes, attackers can:

Modify login screens to mimic legitimate corporate portals
Inject hidden commands into theme scripts
Alter UI behavior to redirect users to malicious URLs

These changes can be undetectable to users, enabling long-term phishing or social engineering attacks.

Technical Analysis: Why This is a Critical Vulnerability

The embedded web server in TSplus acts as a direct interface between users and the internal application delivery system. Because the web content is served from a directory with unrestricted permissions, the server becomes a vector for file manipulation.

Unlike traditional web servers that rely on secure file paths and access controls, TSplus fails to enforce file integrity checks. This means:

No file hashing or integrity verification during runtime
Unrestricted write access to critical assets
Failure to detect unauthorized changes

As a result, an attacker with minimal access—such as a guest user or even a compromised account—can effectively "own" the system’s web interface and deliver malicious payloads.

Remediation and Mitigation Strategies

Organizations using TSplus 16.0.2.14 or earlier must act immediately. The following steps are recommended:

Update to a patched version (if available). Vendor updates should include stricter access controls.
Restrict file permissions to only authorized users (e.g., Administrators, System, or Service accounts).
Implement file integrity monitoring using tools like Windows Defender Application Control or File Integrity Monitoring (FIM) solutions.
Disable public write access to all web content directories.
Use digital signatures for executables and scripts, and validate them before execution.
Monitor logs in var\log for unauthorized file modifications.

Corrected Permissions Example

Below is a corrected permission configuration using PowerShell:


# Set restrictive permissions for TSplus web directories
$Path = "C:\Program Files (x86)\TSplus\Clients\www"
$Acl = Get-Acl $Path
$Rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators", "FullControl", "ContainerInherit,ObjectInherit", "Allow")
$Acl.SetAccessRule($Rule)
Set-Acl $Path $Acl

This script removes Everyone access and grants full control only to the Administrators group. All subdirectories should be similarly secured.

Conclusion: A Wake-Up Call for Remote Access Security

TSplus 16.0.2.14’s insecure file permissions serve as a stark reminder: even well-designed remote access platforms can become attack vectors if basic security hygiene is neglected. The flaw underscores the importance of:

Regular security audits of file system permissions
Enforcing least privilege across all components
Implementing continuous monitoring and integrity checks

Organizations should not rely solely on vendor assurances. Proactive security measures—like file integrity monitoring and access control enforcement—are essential to prevent exploitation of vulnerabilities like CVE-2023-31067.