COMMAND

    Tractive's Remote Manager

SYSTEMS AFFECTED

    Win 9x, NT

PROBLEM

    Trevor Gryffyn found following.  This software enables IS techs to
    remotely  control  (to  a  large  degree,  but not like pcAnywhere
    real-time  control)  a  remote  95/98/NT  machine.   This includes
    viewing almost  anything viewable  as far  as system configuration
    and settings go,  browsing the system  and execute programs  via a
    forms based DOS utility, browsing  the system and whatever it  can
    view via  Network Neighborhood  (with that  machine's permissions)
    and rename,  delete, remotely  launch, edit,  download, etc files.
    It even allows you to view and modify the registry of the  machine
    that it's running on.

    There are two forms of  authentication that this program can  use.
    Either authenticate off  of an NT  machine, Basic (clear  text) or
    Challenge and Response (for 95 you have to have USER-LEVEL  ACCESS
    CONTROL and a Domain configured in your Network settings for  this
    to work) or by way of a username and password that you set in  the
    program  (on  a  95  machine,  if  it's set for Share-Level Access
    control).  It *will* warn you that it's best to use the User-Level
    access control, but  if you chose  not to, it  stores the Username
    and Password that you define in plaintext under:

        HKLM\SOFTWARE\TriActive\Remote Manager\Username

    and..

        HKLM\SOFTWARE\TriActive\Remote Manager\Password

    On the  surface this  is pretty  minor, but  if someone could gain
    access to your registry then you've just opened up a gateway to do
    a great deal of damage to  your machine or be used to  some degree
    to bounce off  of your machine  to do damage  elsewhere especially
    coupled with other products out there.

SOLUTION

    Nothing yet.  As for securing HKLM, this was covered in:

        http://oliver.efri.hr/~crv/security/bugs/NT/hklm.html