what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SingleClick Connect CSRF / XSS / SQL Injection

SingleClick Connect CSRF / XSS / SQL Injection
Posted Sep 15, 2014
Authored by Rob Fuller

SingleClick Connect installs a vulnerable web application, unpassworded MySQL instance, and handles set up of VNC poorly amongst various other issues.

tags | advisory, web
SHA-256 | e3202fce8e302bd9f029650fbff05b5533d1086d2690e0533030aa3c37fd383d

SingleClick Connect CSRF / XSS / SQL Injection

Change Mirror Download
I was helping out a family member with their computer when it came up
that they "already had remote help software" (SingleClickConnect or
SCC), when I asked what this was, the family member said it was
installed by Dell Support when trying to fix their issue. This was in
2008. I removed it, and helped to fix the issue.

In 2010 another issue arose on the new computer (Dell again) of the
same family member. Again, calling support first they had installed
this software.

Disclaimer: I can not say for certain that it was Dell's support rep,
or even that it was them that installed it, but if Dell is using this
as a means of support they should probably cease for the following
reasons:

Apache (port 40080) listening 0.0.0.0, MySQL (port 17771) listening
127.0.0.1, PHP, and UltraVNC (5900) are installed as a part of the
software package.

=========
ISSUE #1

Without decoding the ionCube "copyright protecting" software a large
number of XSS, CSRF, and SQLi vulnerabilities were found, all
unauthenticated to the web app that runs there.

No specifics are being posted on these vulnerabilities as I assume the
site on the net (company's site), where a registered user would log in
are the same as the ones locally hosted (at least the app looks the
same and has similar page structure)
=========


=========
ISSUE #2

MySQL's root password is blank and there are two other default
accounts as well allowing easy privilege escalation to SYSTEM (via the
SCC local account - see ISSUE #5):

dsl *7E1CA3417E3A159A9188657F44C7034A8E9FDFF2
tera *B2744A6BC5E8B1667BE5AED0111A2B941356E4A4
^ uncracked at this point. For all I know they could be randomized at install

=========


=========
ISSUE #3

Another service listens on 0.0.0.0 via port 17667 that I haven't been
able to identify, however when you connect to the socket, it starts
listing users, services, printers and interfaces (and that is without
sending any data to it).

$ ncat 172.16.102.149 17667
8�TXPBASELINEXP_BASEP�RAdministratorGuestHelpAssistantSingleClick
AdminSUPPORT_388945a0!aCACAMD PCNET Family PCI Ethernet Adapter -
Packet Scheduler Miniport{47F69AAC-AE9A-40A9-88F5-A246A169CE92}�f�



)�n�����f�f��fDownloadsC:\Documents and Settings\Administrator\My
Documents\DownloadsMicrosoft XPS Document
WriterXPSPortprinter#:2TPVM#:1TPVMACDWindows FirewallMicrosoftCreative
Sound Blaster PCI
=========


=========
ISSUE #4

When UltraVNC is installed, it uses the same password as the one for
your 'registered' account (just password auth) and listens on 0.0.0.0.
It is easily decrypt-able in UltraVNC.ini that is located in
%ApplicationData% for the user
=========


=========
ISSUE #5

A local account called "SingleClick Admin" is installed with a static
password and added to the Administrators group. 3 services are also
installed with the SingleClick Admin account as the user it runs
under:

Package d'authentification : NTLM
Utilisateur principal : SingleClick Admin
msv1_0 : lm{ 7a9793d3082ba83b790ce07b3bdf85ea }, ntlm{
2c292724d67fcf310d1c4dd153467be8 }
kerberos : ~!3no1972!~
ssp :
wdigest : ~!3no1972!~


8. Name : _SC_Apache2.2
8. Service : .\SingleClick Admin
8. Current : ~!3no1972!~

9. Name : _SC_dsl-fs-sync
9. Service : .\SingleClick Admin
9. Current : ~!3no1972!~
9. Old : ~!3no1972!~

10. Name : _SC_hnmsvc
10. Service : .\SingleClick Admin
10. Current : ~!3no1972!~


=========


=========
CONCERN #1

As far as I can tell the software continuously scans you local network
for other computers and file system for changes and reports these back
to the central server so that when you login to their service you can
see your files and connect to other systems in the LAN of the machine
SingleClickConnect is installed on.
=========


=========
CONCERN #2

The user account password that you use to register and connect
remotely is stored in the database. This actually looks decently done,
or I just haven't been able to identify the storage

Database: p2p
Table: config_info
Value: “user_hash”
=========


=========
CONCERN #3

Not sure what this registry key contains other than being named
Cred4RA and assuming it’s credentials for the remote administration.
Hopefully encrypted some how.

[HKEY_LOCAL_MACHINE\SOFTWARE\SingleClick Systems\Advanced Networking
Service\Settings\Remote Access]
"ConfigState"=dword:00000001
"Cred4RA"=hex:01,00,00 (snip snip)
=========


Software original site: http://www.singleclickconnect.com/
Current site: http://www.vivedriveconnect.com/
Direct download of software (for home use):
http://downloads.vivedriveconnect.com/scc_setup.exe


Vendor Contact:
Email sent in 2010 July about issues 1 - 5
No reply, and forgot about until 2013 when the software was
mentioned by a friend (if I had ever heard of it)
2013 April - Email sent again, forwarding original, bounced back as
account unknown
2014 August - Accidentally found notes while searching for
something else, attempted to relocate the software via Archive.org
with the feeling that the site had gone away and happened upon the new
site,, downloaded software, confirmed issues, and forwarded the email
to the new point of contact at the new domain. No response.
2014 September, Full disclosure.

Dell... If your techs do actually use this software for support (I
hope not) in any form or fashion, you are putting each one of them at
a pretty high risk.

--
Rob Fuller | Mubix
Certified Checkbox Unchecker
Room362.com | Hak5.org


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close