Archive for February, 2011

09
Feb
11

LIGATT’s LocatePC — an update

It would seem my blog saw a spike in traffic over the past 24 hours, as some people on twitter found my review of Ligatt’s LocatePC. It could perhaps be related to this Full Disclosure post about an SQL injection vulnerability in the LocatePC software. Reading that post renewed my interest in analyzing LocatePC, so I thought I’d provide an update to the current status of version 1.05 of Ligatt Security’s software. It’s worth noting that since my last blog post on the matter, Ligatt now also offers an OSX version of LocatePC which I have not looked at.

Note: At no time did I run LocatePC. This examination is based purely on reversing the binaries available on the Ligatt Security website which are free to download.

The biggest change to note between 1.01 and 1.05 is that LocatePC actually connects back to their servers. Interaction between the software and the back-end database is actually occurring now when it wasn’t last June.

Second biggest change: it’s no longer using direct MySQL connections to interact with the database. Good work! I’ll happily take credit for that improvement in the software. Instead of a direct link to the database, it’s now using a web-based API that passes XML messages between client and server. It’s doing this over HTTPS, which should prevent any eavesdroppers from sniffing the traffic it sends.

I think enumeration of an API to be a pretty fun way to spend a couple of hours. Each API request is of the format { procedure, values, types } where “procedure” is a specific stored procedure in the MySQL back-end, “types” is an array of values “string”, “num” or “base64”, and “values” is an array of the data being described by types; the arrays “types” and “values” are the same length.

Comparing this to the old version of LocatePC, it seems that every query that was being done was replaced with an API call. This API is quite easily accessible, as demonstrated by the Full Disclosure post which connects directly to their API server. Most of the calls require some sort of shared secret to insert or retrieve data:

  • Registering a new user requires a license key
  • Registering a new install requires a user and password associated with a license key
  • Checking most information for an existing install requires knowing the 32-character secret (mentioned in the previous post)

However there looks to be a weak link in this chain of secrets. “spSelectProgramLoginByMacs” takes as an argument a string with one or more MAC addresses, and returns the 32-character shared secret used to uniquely identify a LocatePC installation. With the 32-character string, combined with knowledge of the MAC, one can execute any command that the LocatePC software itself could. Oh, and if you don’t have the correct MAC you can always run “spSelectUserMacByProgramLogin” which takes the 32-character identifier and returns the MAC address of the machine.

What this boils down to is the privacy and security of a LocatePC user is protected only by the secrecy of every one of their MAC addresses. And the LocatePC database not being compromised. And the user using unguessable username password combinations. And their registration code not being public. And them trusting the employees of Ligatt Security.

A list of stored procedures used by LocatePC follows. I leave it as an exercise to the reader to find nefarious combinations of functions, because frankly I’m bored of this shitty software.

  • spBackupPassword
  • spConfigCheckLogin
  • spConfigCheckLoginWithPlog
  • spDeleteDirectoryContents
  • spDeleteUserByAllMacs
  • spDeleteWatchedDirectory
  • spDelMacExe
  • spGetPermitKeylogWebcam
  • spInsertCheckinRow
  • spInsertKeylog
  • spInsertMacExe
  • spInsertUser
  • spInsertWatchedDirectory
  • spIsCamOn
  • spIsKeyloggerOn
  • spIsProgramLoginUnique
  • spIsUninstallOn
  • spSelectCheckIn
  • spSelectCurrentVersionIfNewer
  • spSelectCustomerJobs
  • spSelectCustomerTypes
  • spSelectFilesToDelete
  • spSelectFilesToUpload
  • spSelectFromMacexe
  • spSelectNewFiles <– this one takes no arguments are returns the URL for the latest version of LocatePC
  • spSelectOneUserWithRegCode
  • spSelectPasscodeAndHotkey
  • spSelectProgramLoginByMacs
  • spSelectRegCodeUninstall
  • spSelectShutdown
  • spSelectUserMacByProgramLogin
  • spSelectUserMessage
  • spSelectWatchedDirectories
  • spSelectWaysToHearAboutUs
  • spUploadImage
  • spUnsetUninstall
  • spUpdateCheckin
  • spUpdateDirError
  • spUpdateDirUploadTime
  • spUpdateHotkey
  • spUpdateLastLogin
  • spUpdateMacExe
  • spUpdatePasscode
  • spUpdatePermitKeylogWebcam
  • spUploadDirItem
  • spUploadFile
  • spUploadFileError