[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAP-=ew2M4up0OjX-NhecoOdFEqV_OzsSMXcAGRY35QR=1eMBCA@mail.gmail.com>
Date: Mon, 15 Sep 2014 14:53:51 -0400
From: Rob Fuller <mubix@...m362.com>
To: fulldisclosure@...lists.org
Subject: [FD] SingleClick Connect
I was helping out a family member with their computer when it came up
that they "already had remote help software" (SingleClickConnect or
SCC), when I asked what this was, the family member said it was
installed by Dell Support when trying to fix their issue. This was in
2008. I removed it, and helped to fix the issue.
In 2010 another issue arose on the new computer (Dell again) of the
same family member. Again, calling support first they had installed
this software.
Disclaimer: I can not say for certain that it was Dell's support rep,
or even that it was them that installed it, but if Dell is using this
as a means of support they should probably cease for the following
reasons:
Apache (port 40080) listening 0.0.0.0, MySQL (port 17771) listening
127.0.0.1, PHP, and UltraVNC (5900) are installed as a part of the
software package.
=========
ISSUE #1
Without decoding the ionCube "copyright protecting" software a large
number of XSS, CSRF, and SQLi vulnerabilities were found, all
unauthenticated to the web app that runs there.
No specifics are being posted on these vulnerabilities as I assume the
site on the net (company's site), where a registered user would log in
are the same as the ones locally hosted (at least the app looks the
same and has similar page structure)
=========
=========
ISSUE #2
MySQL's root password is blank and there are two other default
accounts as well allowing easy privilege escalation to SYSTEM (via the
SCC local account - see ISSUE #5):
dsl *7E1CA3417E3A159A9188657F44C7034A8E9FDFF2
tera *B2744A6BC5E8B1667BE5AED0111A2B941356E4A4
^ uncracked at this point. For all I know they could be randomized at install
=========
=========
ISSUE #3
Another service listens on 0.0.0.0 via port 17667 that I haven't been
able to identify, however when you connect to the socket, it starts
listing users, services, printers and interfaces (and that is without
sending any data to it).
$ ncat 172.16.102.149 17667
8�TXPBASELINEXP_BASEP�RAdministratorGuestHelpAssistantSingleClick
AdminSUPPORT_388945a0!aCACAMD PCNET Family PCI Ethernet Adapter -
Packet Scheduler Miniport{47F69AAC-AE9A-40A9-88F5-A246A169CE92}�f�
)�n�����f�f��fDownloadsC:\Documents and Settings\Administrator\My
Documents\DownloadsMicrosoft XPS Document
WriterXPSPortprinter#:2TPVM#:1TPVMACDWindows FirewallMicrosoftCreative
Sound Blaster PCI
=========
=========
ISSUE #4
When UltraVNC is installed, it uses the same password as the one for
your 'registered' account (just password auth) and listens on 0.0.0.0.
It is easily decrypt-able in UltraVNC.ini that is located in
%ApplicationData% for the user
=========
=========
ISSUE #5
A local account called "SingleClick Admin" is installed with a static
password and added to the Administrators group. 3 services are also
installed with the SingleClick Admin account as the user it runs
under:
Package d'authentification : NTLM
Utilisateur principal : SingleClick Admin
msv1_0 : lm{ 7a9793d3082ba83b790ce07b3bdf85ea }, ntlm{
2c292724d67fcf310d1c4dd153467be8 }
kerberos : ~!3no1972!~
ssp :
wdigest : ~!3no1972!~
8. Name : _SC_Apache2.2
8. Service : .\SingleClick Admin
8. Current : ~!3no1972!~
9. Name : _SC_dsl-fs-sync
9. Service : .\SingleClick Admin
9. Current : ~!3no1972!~
9. Old : ~!3no1972!~
10. Name : _SC_hnmsvc
10. Service : .\SingleClick Admin
10. Current : ~!3no1972!~
=========
=========
CONCERN #1
As far as I can tell the software continuously scans you local network
for other computers and file system for changes and reports these back
to the central server so that when you login to their service you can
see your files and connect to other systems in the LAN of the machine
SingleClickConnect is installed on.
=========
=========
CONCERN #2
The user account password that you use to register and connect
remotely is stored in the database. This actually looks decently done,
or I just haven't been able to identify the storage
Database: p2p
Table: config_info
Value: “user_hash”
=========
=========
CONCERN #3
Not sure what this registry key contains other than being named
Cred4RA and assuming it’s credentials for the remote administration.
Hopefully encrypted some how.
[HKEY_LOCAL_MACHINE\SOFTWARE\SingleClick Systems\Advanced Networking
Service\Settings\Remote Access]
"ConfigState"=dword:00000001
"Cred4RA"=hex:01,00,00 (snip snip)
=========
Software original site: http://www.singleclickconnect.com/
Current site: http://www.vivedriveconnect.com/
Direct download of software (for home use):
http://downloads.vivedriveconnect.com/scc_setup.exe
Vendor Contact:
Email sent in 2010 July about issues 1 - 5
No reply, and forgot about until 2013 when the software was
mentioned by a friend (if I had ever heard of it)
2013 April - Email sent again, forwarding original, bounced back as
account unknown
2014 August - Accidentally found notes while searching for
something else, attempted to relocate the software via Archive.org
with the feeling that the site had gone away and happened upon the new
site,, downloaded software, confirmed issues, and forwarded the email
to the new point of contact at the new domain. No response.
2014 September, Full disclosure.
Dell... If your techs do actually use this software for support (I
hope not) in any form or fashion, you are putting each one of them at
a pretty high risk.
--
Rob Fuller | Mubix
Certified Checkbox Unchecker
Room362.com | Hak5.org
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists