Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Trend Micro Data Loss Prevention 5.2 Data Leakage

From: nitrØus <nitrousenador () gmail com>
Date: Tue, 01 Jun 2010 20:11:29 -0500
========================================================
Trend Micro Data Loss Prevention 5.2 (formerly LeakProof)
Data Leakage through certain HTTP/HTTPS channels

nitrØus
http://www.brainoverflow.org
Mexico

###############################################################
I encourage you to take a look to the ilustrated advisory that you would find at 
http://www.brainoverflow.org/advisories/TrendMicro_DLP_data_leakage.pdf
###############################################################

1.- VULNERABILITY INFORMATION
========================================================
Vendor: Trend Micro
Product Name: Data Loss Prevention (formerly LeakProof).
Vulnerable versions: DLP 5.2 and LeakProof <= 5.0
Product URL:
http://us.trendmicro.com/us/products/enterprise/data-loss-prevention/index.html
Author: nitrØus [ Alejandro Hernandez H. ]
Discovery Date: 09/Sept/2009
Disclosure Date: 01/Jun/2010
Attack Vector: Local
Attack Channels: Some HTTP/HTTPS non-analyzed channels
Impact: Data Theft / Data Leakage / Data Loss
Risk: Medium


2.- PRODUCT INFORMATION
========================================================
Trend Micro Data Loss Prevention (DLP) is a family of solutions that secure your private data and intellectual property, while reducing complexity and costs. You’ll gain broad coverage, high performance, and deployment flexibility needed 
to comply with regulatory mandates that protect employee and customer data.
Trend Micro DLP solutions also offer advanced DataDNA fingerprinting to secure 
unstructured data and intellectual property and protect all data modalities:
data at rest, data in use and data in motion.
Trend Micro DLP for Endpoint – non-intrusive monitoring and enforcement client software detects and prevents data loss at each endpoint, across the broadest 
variety of threat vectors, whether online or off.
Trend Micro DLP Management Server – provides a central point of visibility and control for discovery, fingerprint extraction, policy enforcement, and reporting violations. The server is available as a hardware appliance or software virtual 
appliance—for greater flexibility and lower costs.

File Types Supported
* Recognizes and processes 300+ file types
* Microsoft Office files including Office 2007: Microsoft Word, Excel,
PowerPoint, Outlook email; Lotus 1-2-3, OpenOffice, RTF, Wordpad, Text, etc.
* Graphics files: Visio, Postscript, PDF, TIFF, etc.
* Software/engineering files: C/C++, JAVA, Verilog, AutoCAD, etc.
* Archived/compressed files: Win ZIP, RAR, TAR, JAR, ARJ, 7Z, RPM, CPIO, GZIP, 
BZIP2, Unix/Linux ZIP, LZH, etc.

Network/Applications Controlled
* Email: Microsoft Outlook, Lotus Notes and SMTP Email
* Web mail: MSN/Hotmail, Yahoo, GMail, AOL Mail, and more
* Instant Messaging: MSN, AIM, Yahoo, and more
* Network Protocols: FTP, HTTP/HTTPS and SMTP Endpoint Devices Controlled
* USB, CD/DVD, COM & LPT ports, removable disks, floppy, infrared and imaging 
devices, print screen, modems, PCMCIA


3.- DISCLOSURE TIMELINE
========================================================

DD/MM/YYYY
09/09/2009 The vulnerability was discovered.
20/02/2010 Trend Micro was informed about the vulnerability.
21/02/2010 Trend Micro assigned a Service Request Number #1
23/02/2010 Trend Micro asked to reproduce the vulnerability with certain policies 
and Web browsers as well as the details of the testing environment.
23/02/2010 Details sent, including screenshots.
25/02/2010 Trend Micro, asked again to retest LeakProof in certain circumstances. 
03/03/2010 Service Request #1 automatically closed due to inactivity
16/03/2010 Trend Micro assigned a Service Request Number #2
16/03/2010 Thread retaken and I explained to Trend Micro about the technical 
nature of the flaw.
18/03/2010 I got no response, so, I warned them about the soon public disclosure 
24/03/2010 Service Request #2 automatically closed due to inactivity
23/03/2010 Trend Micro assigned a Service Request Number #3
23/03/2010 Thread retaken and Trend Micro asked me to debug and log all the
endpoint activity
31/03/2010 Explained about the results and no answer received from Trend Micro 
06/04/2010 Service Request #3 automatically closed due to inactivity
21/05/2010 Retested the vulnerability against the latest version of Data Loss 
Prevention (5.2)
01/06/2010 Public Disclosure


4.- TESTING ENVIRONMENT
========================================================
4.1.- Management Server
Operating System: CentOS 4.6 (Kernel 2.6.18-92.el5)
Management Server: DLP 5.2.1050

4.2.- Endpoints
Operating System: Windows VistaTM Business SP1
DLP Agent: 5.2.1053 (Patch applied)


5.- VULNERABILITY EXPLAINATION / EXPLOIT

###############################################################
I encourage you to take a look to the ilustrated advisory that you would find at 
http://www.brainoverflow.org/advisories/TrendMicro_DLP_data_leakage.pdf
###############################################################

5.1.- Files to protect
The information contained in these files are for demonstration purposes only, 
hence, the shown data is not real.

- MS Word document (.doc) containing a valid Credit Card Number
- MS Word document (.doc) containing the keywords (Boards of Directors)

5.2.- Constraint
For a successfully exploitation, the "Clipboard" channel must not be selected in order to allow the copy from the original file to the attack vector of your 
preference. (Gmail chat, facebook chat, etc.).

5.3.- Configuration of the environment to be tested

5.4.- Test to validate if the DLP works properly

5.5.- Exploitation (Data Leakage Proof-of-Concept)
The flaw as such is in the lack of analysis of certain HTTP/HTTPS channels such as Web chats. Two attack vectors were used, Gmail Chat and Facebook Chat, and the 
successful exploitation was achieved in both of them.
It's important to mention that there could be others attack vectors than those listed above, but for demonstration purposes, I'll only include in this advisory the 
popular ones, Gmail and Facebook webchats.

5.6.- Reports after the tests


6.- GREETS
I’d like to thank Yess G., F. Vilchis and Raaka_elgaupo for testing... And, as usual, all the dogs in the scene, CRAc, nahual, ran, chr1x, hkm, nediam, Federico L. Bossi Bonin, dex, Cj, crypkey, Bucio, beck, Optix, sunLevy, sdc, tr3w, zeus, Héctor López, alt3kx, underground.org.mx, beavis, 
vendetta, Armin, #mendozaaaa.


EOF
Previous By Date Next
Previous By Thread Next

Current thread: