Announcement

Collapse
No announcement yet.

Splashtop Security Hole Exposed

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Splashtop Security Hole Exposed

    At least same versions of Splashtop are not as save as they want to be. Especially when only the HD install variant was used. In case of affected versions like 1.2.3.1 you can access all USB media and the Windows partition used to install Splashtop completely! To verify if your version is affected try:

    http://127.0.0.1:1080

    There you can access - without any mod - all files via

    http://127.0.0.1:1080/links

    For your fun you find even a music.mp3 file there

    http://127.0.0.1:1080/music.mp3

    If your system is directly connected to internet (maybe using DSL dialin within Splashtop or via cable modem) all others can enjoy the content of your hd!

    Btw. newer Splashtop version only block the webserver listing, but when you know the name, you still can access the data when you know the deep link. Luckyly they blocked access from outside then - at least 1.2.8.0 fixes it. But it is still possible to aquire the registry or other system files and save em onto USB stick without any mod. That means you can access user data like serials and other data which is stored there. Very nice feature to have Splashtop available to hack pcs without the need of any bootable media

    Like:

    http://127.0.0.1:1080/links/winhdd/disk1/splash.idx

    http://127.0.0.1:1080/links/winhdd/disk1/boot.ini

    The affected package is bs-apache.sqx.

    Edit: I would like to know from a Splashtop developer (maybe via the blog), why the winhdd link is there (take a look into va-photo.sqx) when it is not used by any app. Only this makes a big issue from that error. You are able to view/save files which you can not even access when Win is booted - like the registry.
    Last edited by Kano; 08-09-2008, 06:21 AM.

  • #2
    Originally posted by Kano View Post
    You are able to view/save files which you can not even access when Win is booted - like the registry.
    That's true of any unencrypted PC running any Linux boot disk -- if someone has physical access to the computer, all bets are off. Or is this possible over the network even with the new version of SplashTop that is supposed to close the port?

    Comment


    • #3
      Well directly you can not access it via network with 1.2.8.0, but the used browser is not uptodate, so expect security risks there too. You are of course right, that any running Linux system can access the data too, but when the marketing wants to tell you that when you are using it you are save and then apache runs just to be used by a very simple photo viewer app then something went really wrong. The problem is a combination of 2 errors, the first was basically fixed in a newer va-apache package - the access from outside. But the 2nd was not changed: the winhdd symlink in the va-photo package. Without it would have been impossible to access data from Win via apache (just usb data which I would call random in most cases, maybe some index files for media players when you also know the volume label). The claim was that Win data was not accessable at all via the installed apps - when you add xterm you can access everything.

      Comment


      • #4
        Nice find Kano. Needless to say I haven't been using splashtop/expressgate since I tested this out on my machine and have access to my entire windows directory structure from any computer on my LAN. Can you tell us how to fix the problem. What file to I need to unsquash and modify?

        Regards

        Comment


        • #5
          Basically you can use a newer version of bs-apache.sqx - 1.2.8.0 blocks lan access. Also you can modifiy the va-photo.sqx and remove this symlink.

          var/www/links/winhdd

          If you don't need the viewer remove it. Don't forget the version file hack.

          Comment


          • #6
            Thanks for the reminder about the version hack (I wouldn't have done that if you didn't mention it). Deleting the va-photo.sqx worked perfectly, thanks a bunch.

            Comment


            • #7
              Crash

              I just found out that my Asus G50v has a corrupt os I can still access splashtop though. I am going to have to reformat my hd and was wondering if there is any way that i could back up my files using splashtop. Please help...

              Comment


              • #8
                With an unmodified splashtop you can not access much of your data inside it, but when the version is really old, then check your internal ip:8080 in your LAN. The network dialog should show your ip.

                Comment


                • #9
                  Originally posted by Kano View Post
                  With an unmodified splashtop you can not access much of your data inside it, but when the version is really old, then check your internal ip:8080 in your LAN. The network dialog should show your ip.
                  Then what. Sorry...i'm not super computer literate. I like to say that i am...but it has it's limitations.

                  Comment


                  • #10
                    Just use any recent Linux live cd, that should give you access to your data.

                    Comment


                    • #11
                      should i already have this? and if not where can i get one.

                      Comment


                      • #12
                        Hi:

                        I want to buy the newest asus nj10 because of the express gate function,

                        do it still have the security hole?

                        I intend to do internet banking from splashtop,then will my password will be seen by other people?
                        Because I used to use a fedora linux cd but since it need longer waiting time,then I consider express gate can be a better option,

                        Is there other way to help me hacking it ,make it secure to use banking online,and I cannot afford a hardware firewall!

                        thanks

                        Comment


                        • #13
                          Well you should update to the latest splashtop then. Then the apache is more restricted. When https is used and you do not have to accept a new certificate it is in most cases secure. If you need java a pure splashtop will not fit your need. Well i created a java addon

                          Comment


                          • #14
                            Originally posted by Kano View Post
                            Well you should update to the latest splashtop then. Then the apache is more restricted. When https is used and you do not have to accept a new certificate it is in most cases secure. If you need java a pure splashtop will not fit your need. Well i created a java addon
                            Hello:

                            well ,I forgot java may be a problem,could you post the instruction how to make it? very grateful!thanks,

                            one post show it is writable because userfile will be saved,seems it is slightly insecure than a readonly linux live cd,which I solely depend on using for banking security.

                            Comment


                            • #15
                              Well of course you can use a Linux live cd, Kanotix has for example Java preinstalled - could be started from hd or usb stick too btw.

                              Comment

                              Working...
                              X