A person using NetSupport desktop management software may not need a password to connect remotely to another computer using the same application.
David Kirkpatrick, a principal security consultant for Trustwave, discovered the vulnerability while doing penetration testing for a customer using NetSupport. IT departments use the application to take control of employees' PCs, in order to perform maintenance or fix a problem.
After installing the software on his own computer, Kirkpatrick found that the default configuration of the application did not require a password for connecting computers running NetSupport.
Essentially, someone using the software could bypass any domain or local credentials to remotely connect to the PC and compromise it, Kirkpatrick said.
The next question was whether someone could find vulnerable computers on a network. Using NetSupport's scripting language and management tool, Kirkpatrick scanned a test network of computers and was able to find all vulnerable systems.
Kirkpatrick then tested whether someone using a tool other than NetSupport could also find vulnerable computers. He wrote a basic Nmap script and used Wireshark, an open-source packet analyzer, to make an inventory request of computers on the customer's corporate network.
The information returned told Kirkpatrick whether a computer was running a default configuration of NetSupport, as well as the version of the software, the username, the host name of the PC and the encrypted password.
"The information that's returned is the vulnerability, essentially, because all I was doing in my Nmap script was sending the command, get inventory, and I was getting a response," Kirkpatrick said Friday.
Once notified, NetSupport issued a fix, which amounted to requiring a password to connect to a remote computer.
"My Nmap script no longer works, but I haven't been able to determine why that's the case," Kirkpatrick said.
NetSupport could not be reached for comment. Technical details of Kirkpatrick's work are in his Trustwave blog.