NetSupport Manager Arbitrary File Write Vulnerability Leading to Remote Code Execution

A vulnerability allowing arbitrary file write has been identified in NetSupport Manager versions prior to 14.12.0001. This issue resides in the Connectivity Server/Gateway component, specifically within the PUTFILE request handler. An attacker with a valid Gateway Key can exploit this vulnerability by crafting a filename that includes directory traversal sequences, enabling the writing of files to arbitrary locations on the server. This exploitation can be used to place attacker-controlled DLLs or executables in privileged paths, potentially leading to remote code execution within the context of the NetSupport Manager connectivity service.

Impact

Exploitation of this vulnerability allows for arbitrary file writing, which can be leveraged to execute malicious code remotely, under certain conditions.

Reproduction

To reproduce this vulnerability, an attacker must first obtain a valid Gateway Key. Once the key is acquired, the attacker can send a PUTFILE request to the NetSupport Gateway server, which runs an HTTP server on TCP port 443 by default. The request must include a crafted filename with directory traversal sequences to write files to a desired location on the server. After successfully writing a file, such as a DLL or executable, to a privileged path, the attacker can trigger the execution of the malicious payload, achieving remote code execution.

Remediation

NetSupport has released a patch for this vulnerability in version 14.12.0001. Users are advised to update their NetSupport Manager Gateways, Controls, and Clients to this version. For those running NetSupport Manager Gateway Servers on versions 12.70 to 12.80 or 14.00 to 14.10, an update is available to address this vulnerability.