Splashtop Security Hole Exposed
At least same versions of Splashtop are not as save as they want to be. Especially when only the HD install variant was used. In case of affected versions like 184.108.40.206 you can access all USB media and the Windows partition used to install Splashtop completely! To verify if your version is affected try:
There you can access - without any mod - all files via
For your fun you find even a music.mp3 file there
If your system is directly connected to internet (maybe using DSL dialin within Splashtop or via cable modem) all others can enjoy the content of your hd!
Btw. newer Splashtop version only block the webserver listing, but when you know the name, you still can access the data when you know the deep link. Luckyly they blocked access from outside then - at least 220.127.116.11 fixes it. But it is still possible to aquire the registry or other system files and save em onto USB stick without any mod. That means you can access user data like serials and other data which is stored there. Very nice feature to have Splashtop available to hack pcs without the need of any bootable media
The affected package is bs-apache.sqx.
Edit: I would like to know from a Splashtop developer (maybe via the blog), why the winhdd link is there (take a look into va-photo.sqx) when it is not used by any app. Only this makes a big issue from that error. You are able to view/save files which you can not even access when Win is booted - like the registry.
Last edited by Kano; 08-09-2008 at 06:21 AM.
That's true of any unencrypted PC running any Linux boot disk -- if someone has physical access to the computer, all bets are off. Or is this possible over the network even with the new version of SplashTop that is supposed to close the port?
Originally Posted by Kano
Well directly you can not access it via network with 18.104.22.168, but the used browser is not uptodate, so expect security risks there too. You are of course right, that any running Linux system can access the data too, but when the marketing wants to tell you that when you are using it you are save and then apache runs just to be used by a very simple photo viewer app then something went really wrong. The problem is a combination of 2 errors, the first was basically fixed in a newer va-apache package - the access from outside. But the 2nd was not changed: the winhdd symlink in the va-photo package. Without it would have been impossible to access data from Win via apache (just usb data which I would call random in most cases, maybe some index files for media players when you also know the volume label). The claim was that Win data was not accessable at all via the installed apps - when you add xterm you can access everything.
Nice find Kano. Needless to say I haven't been using splashtop/expressgate since I tested this out on my machine and have access to my entire windows directory structure from any computer on my LAN. Can you tell us how to fix the problem. What file to I need to unsquash and modify?
Basically you can use a newer version of bs-apache.sqx - 22.214.171.124 blocks lan access. Also you can modifiy the va-photo.sqx and remove this symlink.
If you don't need the viewer remove it. Don't forget the version file hack.
Thanks for the reminder about the version hack (I wouldn't have done that if you didn't mention it). Deleting the va-photo.sqx worked perfectly, thanks a bunch.
I just found out that my Asus G50v has a corrupt os I can still access splashtop though. I am going to have to reformat my hd and was wondering if there is any way that i could back up my files using splashtop. Please help...
With an unmodified splashtop you can not access much of your data inside it, but when the version is really old, then check your internal ip:8080 in your LAN. The network dialog should show your ip.
Just use any recent Linux live cd, that should give you access to your data.