|
I was taking a quick look at the RemotelyAnywhere software install. A few things I discovered:
1. There is a service 'RAMaint' (probably a watchdog task). It runs as LocalSystem (doesn't everything?!) and uses an unsafe path in versions earlier than v8: SYSTEM anyone?
2. If authenticated, you can fetch log files via
/download/?dir=C:\Program%20Files\RemotelyAnywhere\&file=RemotelyAnywhere.log&pack=txt
Of course, I'm sure you could change this to read stuff the server administrator had not intended....
3. There is an XSS in the custom RA HTTP service, which you can use to steal cookies. Of course, you need to entice your target to visit the address.
/img/%3Cscript%3Ealert(document.cookie);%3C/script%3E.html
Just send the cookie, care of .....
.---. .---.
: : o : me want cookie!
_..-: o : :-.._ /
.-'' ' `---' `---' " ``-.
.' " ' " . " . ' " `.
: '.---.,,.,...,.,.,.,..---. ' ;
`. " `. .' " .'
`. '`. .' ' .'
`. `-._ _.-' " .' .----.
`. " '"--...--"' . ' .' .' o `.
.'`-._' " . " _.-'`. : o :
jgs .' ```--.....--''' ' `:_ o :
.' " ' " " ; `.;";";";'
; ' " ' . ; .' ; ; ;
; ' ' ' " .' .-'
' " " ' " " _.-'
|