In the chunk of data that’s returned Kirkpatrick was able to glean NetSupport information such as its hostname, user, version info, along with the encrypted password of the “Configurator Password.” “The ‘Connect’ popup that usually appears on the remote PC, when running the previous NetSupport Manager script, did not pop up when using the Nmap script after a connection,” Kirkpatrick wrote Wednesday, “This meant I could run this script across the network and the clients would be unaware of my testing of their configuration.”
Unlike the previous script, by coming in through Nmap Kirkpatrick was able to run his script without clients being any the wiser. At the time he found that hundreds of clients were vulnerable. A month ago he blogged about bypassing domains and local credentials to remotely connect to PCs running faulty versions of the product. Kirkpatrick had previously been able to use a NetSupport scripting language to do more or less the same thing. Specifically Kirkpatrick’s script checks to see if the response includes the word “License” – if he gets a response then he can connect to the client without authentication, if not then it requires authentication. Kirkpatrick’s script checks NetSupport to see whether authentication is required and if not it returns useful configuration settings from the hosts. Kirkpatrick also used Wireshark, the free and open-source packet analyzer, for his attack and discovered he could observe the TCP stream of NetSupport service and view its response. Kirkpatrick, a security consultant at Trustwave’s SpiderLabs, blogged about his findings on the company’s Anterior blog Wednesday.Įxploiting the vulnerability relies on using a simple script for the Nmap network scanner and making use of a hole that could allow attackers to go undetected while searching networks.
UPDATE – A vulnerability in older versions of NetSupport Manager, a platform that allows companies to remotely manage machines for desktop support, could yield sensitive configuration settings and lead to compromise.Īccording David Kirkpatrick, the researcher who found the vulnerability, it took him about four dozen lines of code to “easily bypass any Domain or Windows credentials” using version 10 of NetSupport, and that he could “remotely connect to the hosts and compromise them,” if he wanted to.