quentin's blog

Remote Command Execution on RemotePC for Windows

During an audit we executed in 2019, we had to test a deployment where a third-party company had to remotely connect to special purpose computers to perform maintenance. At the time, they had chosen a software called RemotePC to remotely login into these special purpose computers rather than relying on RDP. RemotePC is a a remote desktop software that lets a support agent remotely connect to a computer and take control of keyboard, mouse, and screen. It's quite similar to TeamViewer.

Transport security fell into the scope of this specific audit so we covered all communication channels established by RemotePC clients. Turns out RemotePC Windows client does not properly validates SSL certificates, allowing a man-in-the-middle attacker to:

  • capture credentials when user logs in with remotepc account
  • observe the remotely accessed desktop, inject keystrokes and mouse events
  • hijack the auto-update mechanism in order to get the RemotePC client to execute an arbitrary executable, leading to remote command execution

All versions prior to 7.6.26-28/04/20 are vulnerable. We strongly recommend anyone using RemotePC to update to the latest version available at https://www.remotepc.com/download.htm

Office 365 User Enumeration Reloaded

During a recent engagement, we tried to enumerate email accounts by abusing previously reported user enumeration issue affecting Office 365, but found out it no longer works.

In the past, sending authentication requests to ActiveSync with Basic HTTP authentication mechanism would return different status code disclosing the user's existence. A 404 meant the user did not exist, a 401 meant the user existed. We don't know exactly when Microsoft released that specific update, but it now returns a 401 whether the user exists or not.

We therefore had to find another way. By looking at HTTP responses from ActiveSync, we've identified that it still leaks information about the user existence. Whenever the HTTP response header X-MailboxGuid is set, that means the user exists.

We packed everything in a Python3 script that will read usernames from a text file and output the users and validity as CSV. You can find it at https://github.com/gremwell/o365enum. It also includes a user enumeration technique based on Office.com login page.

Man-in-the-Conference-Room - Part II (Hardware Hacking)

In this post I'll describe how I used hardware hacking techniques to get more information about the device and dump its internal storage. If you missed the introductory post you can find it here Man-in-the-conference room - Part I (Introduction). Let's start right away !

If we remove the two enclosure screws and open it up, we immediately identify two pinout slots:

Man-in-the-Conference-Room

Back in 2017 a small device appeared on my desk. A wireless presentation device that one of our customers wanted to deploy on its premises, but not before we had audited it first.

The idea behind those devices is pretty simple: instead of running from meetings to meetings with HDMI and VGA cables in your pockets, just leave a device connected to a presentation screen at all time and let presenters connect to the device using a client application on their laptop or smartphone. These presentation devices are usually deployed in large companies or universities and cost between $800 to something around $1800 based on the features they got.

The device in question was an Airmedia AM-101 and in this blog series I'll describe my complete process on how I went to test it. Hopefully this can be used as some kind of cheat sheet for folks starting in the field.

Subscribe to RSS - quentin's blog