A remote management tool used in some enterprises can be exploited by attackers to remotely connect to a host without needing any passwords, according to a Trustwave researcher.
Many organizations use the NetSupport software to remotely manage and connect to PCs and servers from a central location. These systems normally are set up with either Domain or local credentials, and shouldn’t be accessible without the person logging in. However, if the system has NetSupport installed for remote desktop support, it most likely has the default configuration, which allows remote users to connect automatically without authentication, David Kirkpatrick, a principal consultant at Trustwave, wrote in a blog post. The software also leaks detailed information about the device, such as the hostname, version number, and the username.
With NetSupport’s default configuration, anyone can remotely connect to the system and bypass the login prompt altogether, Kirkpatrick said.
Kirkpatrick wrote a script using Nmap to check each endpoint on the network to determine if it has NetSupport installed, and whether it has the default configuration enabled. The script returns “useful NetSpport configuration settings,” such as hostname, username, and the NetSupport version number, among other things, Kirkpatrick said. An attacker could use the same script to search the network for vulnerable systems.
“I could run this script across the network and the clients would be unaware of my testing of their configuration,” Kirkpatrick said. Connecting to the system would be a little bit harder because the original user will see a pop-up on the computer indicating a new user was also connected to the system.
For an attacker to successfully compromise the machine, he or she would first need to have NetSupport Manager software installed, Kirkpatrick told SecurityWeek in an email. That isn’t difficult, as an evaluation copy is available for free. Once connected remotely, the attacker would be able to take over the systems as though he or she had control locally. The attacker could also send commands to the compromised system over the remote desktop connection and retrieve information from a Windows shell, he said. The mouse and keyboard can be shifted to the attacker’s control
It’s easier to dismiss the research as one affecting only insider threats. But the way NetSupport is wide open to abuse means its clear the software needs to be secured. The fact that a remote user can access the PC running one NetSupport product means the systems can be entirely compromised.
NetSupport has fixed the information leakage vulnerability in later versions to require that passwords are always required to connect to an endpoint, Kirkpatrick said.
“The lesson here is that greater care should be taken when installing such powerful software that can bypass all your domain security so easily,” Kirkpatrick warned, before adding, “Of course, software providers can help by securing their default installation configurations as well.”