UPDATE – A vulnerability in older versions of NetSupport Manager, a platform that allows companies to remotely manage machines for desktop support, could yield sensitive configuration settings and lead to compromise.
According David Kirkpatrick, the researcher who found the vulnerability, it took him about four dozen lines of code to “easily bypass any Domain or Windows credentials” using version 10 of NetSupport, and that he could “remotely connect to the hosts and compromise them,” if he wanted to.
Kirkpatrick, a security consultant at Trustwave’s SpiderLabs, blogged about his findings on the company’s Anterior blog Wednesday.
Exploiting the vulnerability relies on using a simple script for the Nmap network scanner and making use of a hole that could allow attackers to go undetected while searching networks. Kirkpatrick also used Wireshark, the free and open-source packet analyzer, for his attack and discovered he could observe the TCP stream of NetSupport service and view its response.
Kirkpatrick’s script checks NetSupport to see whether authentication is required and if not it returns useful configuration settings from the hosts. Specifically Kirkpatrick’s script checks to see if the response includes the word “License” – if he gets a response then he can connect to the client without authentication, if not then it requires authentication.
Kirkpatrick had previously been able to use a NetSupport scripting language to do more or less the same thing. A month ago he blogged about bypassing domains and local credentials to remotely connect to PCs running faulty versions of the product. At the time he found that hundreds of clients were vulnerable.
Unlike the previous script, by coming in through Nmap Kirkpatrick was able to run his script without clients being any the wiser.
“The ‘Connect’ popup that usually appears on the remote PC, when running the previous NetSupport Manager script, did not pop up when using the Nmap script after a connection,” Kirkpatrick wrote Wednesday, “This meant I could run this script across the network and the clients would be unaware of my testing of their configuration.”
In the chunk of data that’s returned Kirkpatrick was able to glean NetSupport information such as its hostname, user, version info, along with the encrypted password of the “Configurator Password.”
Since the default setting for the software doesn’t enforce that a password is set, it makes it easy for information to be freely returned and even easier for an attacker to bypass Windows local or domain passwords.
Kirkpatrick points out that NetSupport has been notified about the leakage vulnerability but that the flaw has been fixed in “later revisions.”
According to Al Kingsley, NetSupport’s Group Managing Director, version 12 of the product, the one that is currently being shipped, mitigates the vulnerability.
As conventional wisdom assumes it’s always better to password protect software that connects to the internet, NetSupport users who are unsure if their set up is vulnerable to this hole can of course prevent a compromise by simply making sure they configure a password in the software’s Client Security settings.
Kingsley also points out that later versions of NetSupport now include a flashing visual indicator on the end user UI to “highlight if a password has not been set on install, to ensure it is not missed by the user.”