Misusing BeyondTrust Remote Support Leads To Data Exposure

BeyondTrust (former Bomgar) is a security firm, offering access management solutions to a large number of companies, “including half of the Fortune 100”. Their products range from password management to cloud privilege protection and others.

Among their products, there is the “Secure Remote Support”. According to many sources, it is the #1 preferred solution that offers support and access to any device inside as well as outside of the organization’s network, so that technicians can troubleshoot any problems that may appear through screen sharing, remote control, remote access, file sharing, and pre-written scripts. At the same time, it secures remote access and permissions to these devices as well as their passwords.

Among many functionalities, the product gives the admin the possibility to tweak the appearance of the portal, by letting them add additional resources, which are stored within the product’s /files directory. As we will see, some admins use this file storage for sensitive files, while exposing them on the internet.

Documentation and /files purpose

BeyondTrust’s Remote Support offers plenty of customization options. An admin can customize the software’s appearance, i.e add popups before logging in, customize the portal, etc. All the resources needed for these customizations can be uploaded and stored in the /files endpoint, according to the product’s documentation.

After some research, using primarily Shodan, we see that this is not always the case. Many instances that were found exposing this directory on the Internet appear to store files unrelated to customization and, in many cases, sensitive information and leaks.

Host aggregation and filtering

To aggregate instances of the Remote Support Software, we used Shodan. Shodan is a search engine for IoT and Internet-connected devices. It is basically like a search engine for servers and internet-facing instances, where one can browse through them while specifying filters based on the target instance we’re looking for, for better results.

The Remote Support Software has a distinctive HTTP title, i.e. Remote Support Portal | Powered by BOMGAR (BOMGAR is the old name of BeyondTrust). This made our life much easier. By using the filter http.title in Shodan, we could type http.title:"Remote Support Portal | Powered by BOMGAR" and get all the internet-faced instances that have this title. Although, as we mentioned earlier, the software has many customization features, including the language used. So this above-mentioned filter would not include results with titles in other languages. So, a more general filter like http.title:BOMGAR was used.

After downloading the results, we fuzzed all the hosts for an accessible /files directory. All the endpoints that returned a 200 status were screen-shotted and inspected.

Findings

After inspecting the results we came to the conclusion that, although most of the instances appeared to be hosting only customization-related resources, there were some that didn’t follow this direction and they were hosting unrelated files and in many cases information-sensitive files, violating the organization’s security and privacy. These customization-unrelated files were ranging from internal apk files to exposed propriety software setup files, to credentials, software backups, and internal information and documents.

Here are some of the things we found exposed:

Host credentials in an automation JS script

Multiple WiFi access point credentials and root passwords

A backup file for financial software Quicken, possibly including reports, passwords, accounts, and attachments

Organization email addresses

Remediation

The files that admins and technicians are falsely storing are probably used to troubleshoot devices and assist technicians in helping users, or they are scripts that are part of an automated task. Admins and technicians using the product should not see the /files directory as general storage. This directory is meant to be used only for customization and should not contain any sensitive information. Additionally, it should be best practice to not expose this endpoint to the Internet, to avoid mistakes being exposed, unless it is an absolute necessity.

From the admin’s perspective, exposing sensitive files to the Internet is a bad practice that can lead to a potential information leak. Either use this directory only for customization scripts and resources or disable the endpoint from being exposed entirely, in order to avoid future mistakes.

Although BeyondTrust bears no responsibility for its user’s bad security practices, an additional warning on the product’s documentation could help to prevent such actions in the future.