NetSupport Manager SQL Injection Vulnerability in Connectivity Server Allows Arbitrary Local File Disclosure

A SQL injection vulnerability has been identified in NetSupport Manager versions prior to 14.12.0001. This vulnerability exists in the Connectivity Server/Gateway component, which handles HTTPS requests. The issue arises because the server processes request URIs using an unsanitized SQLite query against the FileLinks table in gateway.db. By injecting SQL through the LinkName/URI value, a remote attacker can manipulate the FileName field to read and return files from the disk, leading to unauthorized local file disclosure.

Impact

Exploitation of this vulnerability allows for arbitrary local file disclosure.

Reproduction

The vulnerability can be reproduced by sending an HTTPS request to a NetSupport Gateway server with an injected SQL payload in the LinkName/URI value. The server will execute the unsanitized SQL query, allowing the attacker to access files on the local disk through the manipulated FileName field.

Remediation

NetSupport has released a patch for this vulnerability in version 14.12.0001. Users are advised to update their NetSupport Manager Gateways, Controls, and Clients to this version. For those running Gateway Servers on version 12.70 to 12.80 or 14.00 to 14.10, an update is available to address this vulnerability.