exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SingleClick Connect CSRF / XSS / SQL Injection

SingleClick Connect CSRF / XSS / SQL Injection
Posted Sep 15, 2014
Authored by Rob Fuller

SingleClick Connect installs a vulnerable web application, unpassworded MySQL instance, and handles set up of VNC poorly amongst various other issues.

tags | advisory, web
SHA-256 | e3202fce8e302bd9f029650fbff05b5533d1086d2690e0533030aa3c37fd383d

SingleClick Connect CSRF / XSS / SQL Injection

Change Mirror Download
I was helping out a family member with their computer when it came up
that they "already had remote help software" (SingleClickConnect or
SCC), when I asked what this was, the family member said it was
installed by Dell Support when trying to fix their issue. This was in
2008. I removed it, and helped to fix the issue.

In 2010 another issue arose on the new computer (Dell again) of the
same family member. Again, calling support first they had installed
this software.

Disclaimer: I can not say for certain that it was Dell's support rep,
or even that it was them that installed it, but if Dell is using this
as a means of support they should probably cease for the following

Apache (port 40080) listening, MySQL (port 17771) listening, PHP, and UltraVNC (5900) are installed as a part of the
software package.


Without decoding the ionCube "copyright protecting" software a large
number of XSS, CSRF, and SQLi vulnerabilities were found, all
unauthenticated to the web app that runs there.

No specifics are being posted on these vulnerabilities as I assume the
site on the net (company's site), where a registered user would log in
are the same as the ones locally hosted (at least the app looks the
same and has similar page structure)


MySQL's root password is blank and there are two other default
accounts as well allowing easy privilege escalation to SYSTEM (via the
SCC local account - see ISSUE #5):

dsl *7E1CA3417E3A159A9188657F44C7034A8E9FDFF2
tera *B2744A6BC5E8B1667BE5AED0111A2B941356E4A4
^ uncracked at this point. For all I know they could be randomized at install



Another service listens on via port 17667 that I haven't been
able to identify, however when you connect to the socket, it starts
listing users, services, printers and interfaces (and that is without
sending any data to it).

$ ncat 17667
AdminSUPPORT_388945a0!aCACAMD PCNET Family PCI Ethernet Adapter -
Packet Scheduler Miniport{47F69AAC-AE9A-40A9-88F5-A246A169CE92}�f�

)�n�����f�f��fDownloadsC:\Documents and Settings\Administrator\My
Documents\DownloadsMicrosoft XPS Document
WriterXPSPortprinter#:2TPVM#:1TPVMACDWindows FirewallMicrosoftCreative
Sound Blaster PCI


When UltraVNC is installed, it uses the same password as the one for
your 'registered' account (just password auth) and listens on
It is easily decrypt-able in UltraVNC.ini that is located in
%ApplicationData% for the user


A local account called "SingleClick Admin" is installed with a static
password and added to the Administrators group. 3 services are also
installed with the SingleClick Admin account as the user it runs

Package d'authentification : NTLM
Utilisateur principal : SingleClick Admin
msv1_0 : lm{ 7a9793d3082ba83b790ce07b3bdf85ea }, ntlm{
2c292724d67fcf310d1c4dd153467be8 }
kerberos : ~!3no1972!~
ssp :
wdigest : ~!3no1972!~

8. Name : _SC_Apache2.2
8. Service : .\SingleClick Admin
8. Current : ~!3no1972!~

9. Name : _SC_dsl-fs-sync
9. Service : .\SingleClick Admin
9. Current : ~!3no1972!~
9. Old : ~!3no1972!~

10. Name : _SC_hnmsvc
10. Service : .\SingleClick Admin
10. Current : ~!3no1972!~



As far as I can tell the software continuously scans you local network
for other computers and file system for changes and reports these back
to the central server so that when you login to their service you can
see your files and connect to other systems in the LAN of the machine
SingleClickConnect is installed on.


The user account password that you use to register and connect
remotely is stored in the database. This actually looks decently done,
or I just haven't been able to identify the storage

Database: p2p
Table: config_info
Value: “user_hash”


Not sure what this registry key contains other than being named
Cred4RA and assuming it’s credentials for the remote administration.
Hopefully encrypted some how.

[HKEY_LOCAL_MACHINE\SOFTWARE\SingleClick Systems\Advanced Networking
Service\Settings\Remote Access]
"Cred4RA"=hex:01,00,00 (snip snip)

Software original site: http://www.singleclickconnect.com/
Current site: http://www.vivedriveconnect.com/
Direct download of software (for home use):

Vendor Contact:
Email sent in 2010 July about issues 1 - 5
No reply, and forgot about until 2013 when the software was
mentioned by a friend (if I had ever heard of it)
2013 April - Email sent again, forwarding original, bounced back as
account unknown
2014 August - Accidentally found notes while searching for
something else, attempted to relocate the software via Archive.org
with the feeling that the site had gone away and happened upon the new
site,, downloaded software, confirmed issues, and forwarded the email
to the new point of contact at the new domain. No response.
2014 September, Full disclosure.

Dell... If your techs do actually use this software for support (I
hope not) in any form or fashion, you are putting each one of them at
a pretty high risk.

Rob Fuller | Mubix
Certified Checkbox Unchecker
Room362.com | Hak5.org

Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    8 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    17 Files
  • 26
    Sep 26th
    3 Files
  • 27
    Sep 27th
    13 Files
  • 28
    Sep 28th
    5 Files
  • 29
    Sep 29th
    12 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By