I was helping out a family member with their computer when it came up that they "already had remote help software" (SingleClickConnect or SCC), when I asked what this was, the family member said it was installed by Dell Support when trying to fix their issue. This was in 2008. I removed it, and helped to fix the issue. In 2010 another issue arose on the new computer (Dell again) of the same family member. Again, calling support first they had installed this software. Disclaimer: I can not say for certain that it was Dell's support rep, or even that it was them that installed it, but if Dell is using this as a means of support they should probably cease for the following reasons: Apache (port 40080) listening 0.0.0.0, MySQL (port 17771) listening 127.0.0.1, PHP, and UltraVNC (5900) are installed as a part of the software package. ========= ISSUE #1 Without decoding the ionCube "copyright protecting" software a large number of XSS, CSRF, and SQLi vulnerabilities were found, all unauthenticated to the web app that runs there. No specifics are being posted on these vulnerabilities as I assume the site on the net (company's site), where a registered user would log in are the same as the ones locally hosted (at least the app looks the same and has similar page structure) ========= ========= ISSUE #2 MySQL's root password is blank and there are two other default accounts as well allowing easy privilege escalation to SYSTEM (via the SCC local account - see ISSUE #5): dsl *7E1CA3417E3A159A9188657F44C7034A8E9FDFF2 tera *B2744A6BC5E8B1667BE5AED0111A2B941356E4A4 ^ uncracked at this point. For all I know they could be randomized at install ========= ========= ISSUE #3 Another service listens on 0.0.0.0 via port 17667 that I haven't been able to identify, however when you connect to the socket, it starts listing users, services, printers and interfaces (and that is without sending any data to it). $ ncat 172.16.102.149 17667 8�TXPBASELINEXP_BASEP�RAdministratorGuestHelpAssistantSingleClick AdminSUPPORT_388945a0!aCACAMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport{47F69AAC-AE9A-40A9-88F5-A246A169CE92}�f� )�n�����f�f��fDownloadsC:\Documents and Settings\Administrator\My Documents\DownloadsMicrosoft XPS Document WriterXPSPortprinter#:2TPVM#:1TPVMACDWindows FirewallMicrosoftCreative Sound Blaster PCI ========= ========= ISSUE #4 When UltraVNC is installed, it uses the same password as the one for your 'registered' account (just password auth) and listens on 0.0.0.0. It is easily decrypt-able in UltraVNC.ini that is located in %ApplicationData% for the user ========= ========= ISSUE #5 A local account called "SingleClick Admin" is installed with a static password and added to the Administrators group. 3 services are also installed with the SingleClick Admin account as the user it runs under: Package d'authentification : NTLM Utilisateur principal : SingleClick Admin msv1_0 : lm{ 7a9793d3082ba83b790ce07b3bdf85ea }, ntlm{ 2c292724d67fcf310d1c4dd153467be8 } kerberos : ~!3no1972!~ ssp : wdigest : ~!3no1972!~ 8. Name : _SC_Apache2.2 8. Service : .\SingleClick Admin 8. Current : ~!3no1972!~ 9. Name : _SC_dsl-fs-sync 9. Service : .\SingleClick Admin 9. Current : ~!3no1972!~ 9. Old : ~!3no1972!~ 10. Name : _SC_hnmsvc 10. Service : .\SingleClick Admin 10. Current : ~!3no1972!~ ========= ========= CONCERN #1 As far as I can tell the software continuously scans you local network for other computers and file system for changes and reports these back to the central server so that when you login to their service you can see your files and connect to other systems in the LAN of the machine SingleClickConnect is installed on. ========= ========= CONCERN #2 The user account password that you use to register and connect remotely is stored in the database. This actually looks decently done, or I just haven't been able to identify the storage Database: p2p Table: config_info Value: “user_hash” ========= ========= CONCERN #3 Not sure what this registry key contains other than being named Cred4RA and assuming it’s credentials for the remote administration. Hopefully encrypted some how. [HKEY_LOCAL_MACHINE\SOFTWARE\SingleClick Systems\Advanced Networking Service\Settings\Remote Access] "ConfigState"=dword:00000001 "Cred4RA"=hex:01,00,00 (snip snip) ========= Software original site: http://www.singleclickconnect.com/ Current site: http://www.vivedriveconnect.com/ Direct download of software (for home use): http://downloads.vivedriveconnect.com/scc_setup.exe Vendor Contact: Email sent in 2010 July about issues 1 - 5 No reply, and forgot about until 2013 when the software was mentioned by a friend (if I had ever heard of it) 2013 April - Email sent again, forwarding original, bounced back as account unknown 2014 August - Accidentally found notes while searching for something else, attempted to relocate the software via Archive.org with the feeling that the site had gone away and happened upon the new site,, downloaded software, confirmed issues, and forwarded the email to the new point of contact at the new domain. No response. 2014 September, Full disclosure. Dell... If your techs do actually use this software for support (I hope not) in any form or fashion, you are putting each one of them at a pretty high risk. -- Rob Fuller | Mubix Certified Checkbox Unchecker Room362.com | Hak5.org