Full Disclosure mailing list archives
Trend Micro Data Loss Prevention 5.2 Data Leakage
From: nitrØus <nitrousenador () gmail com>
Date: Wed, 02 Jun 2010 19:05:11 -0500
======================================================== Trend Micro Data Loss Prevention 5.2 (formerly LeakProof) Data Leakage through certain HTTP/HTTPS channels nitrØus http://www.brainoverflow.org Mexico ################################################################################ I encourage you to take a look to the illustrated advisory that you would find at http://www.brainoverflow.org/advisories/TrendMicro_DLP_data_leakage.pdf ################################################################################ 1.- VULNERABILITY INFORMATION ======================================================== Vendor: Trend Micro Product Name: Data Loss Prevention (formerly LeakProof). Vulnerable versions: DLP 5.2 and LeakProof <= 5.0 Product URL: http://us.trendmicro.com/us/products/enterprise/data-loss-prevention/index.html Author: nitrØus [ Alejandro Hernandez H. ] Discovery Date: 09/Sept/2009 Disclosure Date: 01/Jun/2010 Attack Vector: Local Attack Channels: Some HTTP/HTTPS non-analyzed channels Impact: Data Theft / Data Leakage / Data Loss Risk: Medium 2.- PRODUCT INFORMATION ======================================================== Trend Micro Data Loss Prevention (DLP) is a family of solutions that secure your private data and intellectual property, while reducing complexity and costs. You’ll gain broad coverage, high performance, and deployment flexibility needed to comply with regulatory mandates that protect employee and customer data. Trend Micro DLP solutions also offer advanced DataDNA fingerprinting to secure unstructured data and intellectual property and protect all data modalities: data at rest, data in use and data in motion. Trend Micro DLP for Endpoint – non-intrusive monitoring and enforcement client software detects and prevents data loss at each endpoint, across the broadest variety of threat vectors, whether online or off. Trend Micro DLP Management Server – provides a central point of visibility and control for discovery, fingerprint extraction, policy enforcement, and reporting violations. The server is available as a hardware appliance or software virtual appliance—for greater flexibility and lower costs. File Types Supported * Recognizes and processes 300+ file types * Microsoft Office files including Office 2007: Microsoft Word, Excel, PowerPoint, Outlook email; Lotus 1-2-3, OpenOffice, RTF, Wordpad, Text, etc. * Graphics files: Visio, Postscript, PDF, TIFF, etc. * Software/engineering files: C/C++, JAVA, Verilog, AutoCAD, etc. * Archived/compressed files: Win ZIP, RAR, TAR, JAR, ARJ, 7Z, RPM, CPIO, GZIP, BZIP2, Unix/Linux ZIP, LZH, etc. Network/Applications Controlled * Email: Microsoft Outlook, Lotus Notes and SMTP Email * Web mail: MSN/Hotmail, Yahoo, GMail, AOL Mail, and more * Instant Messaging: MSN, AIM, Yahoo, and more * Network Protocols: FTP, HTTP/HTTPS and SMTP Endpoint Devices Controlled * USB, CD/DVD, COM & LPT ports, removable disks, floppy, infrared and imaging devices, print screen, modems, PCMCIA 3.- DISCLOSURE TIMELINE ======================================================== DD/MM/YYYY 09/09/2009 The vulnerability was discovered. 20/02/2010 Trend Micro was informed about the vulnerability. 21/02/2010 Trend Micro assigned a Service Request Number #1 23/02/2010 Trend Micro asked to reproduce the vulnerability with certain policies and Web browsers as well as the details of the testing environment. 23/02/2010 Details sent, including screenshots. 25/02/2010 Trend Micro, asked again to retest LeakProof in certain circumstances. 03/03/2010 Service Request #1 automatically closed due to inactivity 16/03/2010 Trend Micro assigned a Service Request Number #2 16/03/2010 Thread retaken and I explained to Trend Micro about the technical nature of the flaw. 18/03/2010 I got no response, so, I warned them about the soon public disclosure 24/03/2010 Service Request #2 automatically closed due to inactivity 23/03/2010 Trend Micro assigned a Service Request Number #3 23/03/2010 Thread retaken and Trend Micro asked me to debug and log all the endpoint activity 31/03/2010 Explained about the results and no answer received from Trend Micro 06/04/2010 Service Request #3 automatically closed due to inactivity 21/05/2010 Retested the vulnerability against the latest version of Data Loss Prevention (5.2) 01/06/2010 Public Disclosure 4.- TESTING ENVIRONMENT ======================================================== 4.1.- Management Server Operating System: CentOS 4.6 (Kernel 2.6.18-92.el5) Management Server: DLP 5.2.1050 4.2.- Endpoints Operating System: Windows VistaTM Business SP1 DLP Agent: 5.2.1053 (Patch applied) 5.- VULNERABILITY EXPLAINATION / EXPLOIT ######################################################## I encourage you to take a look to the illustrated advisory that you would find at http://www.brainoverflow.org/advisories/TrendMicro_DLP_data_leakage.pdf ######################################################## 5.1.- Files to protect The information contained in these files are for demonstration purposes only, hence, the shown data is not real. - MS Word document (.doc) containing a valid Credit Card Number - MS Word document (.doc) containing the keywords (Boards of Directors) 5.2.- Constraint For a successfully exploitation, the "Clipboard" channel must not be selected in order to allow the copy from the original file to the attack vector of your preference. (Gmail chat, facebook chat, etc.). 5.3.- Configuration of the environment to be tested 5.4.- Test to validate if the DLP works properly 5.5.- Exploitation (Data Leakage Proof-of-Concept) The flaw as such is in the lack of analysis of certain HTTP/HTTPS channels such as Web chats. Two attack vectors were used, Gmail Chat and Facebook Chat, and the successful exploitation was achieved in both of them. It's important to mention that there could be others attack vectors than those listed above, but for demonstration purposes, I'll only include in this advisory the popular ones, Gmail and Facebook webchats. 5.6.- Reports after the tests 6.- GREETS I’d like to thank Yess G., F. Vilchis and Raaka_elgaupo for testing... And, as usual, all the dogs in the scene, CRAc, nahual, ran, chr1x, hkm, nediam, Federico L. Bossi Bonin, dex, Cj, crypkey, Bucio, beck, Optix, sunLevy, sdc, tr3w, zeus, Héctor López, alt3kx, underground.org.mx, beavis, vendetta, Armin, #mendozaaaa. EOF _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Trend Micro Data Loss Prevention 5.2 Data Leakage nitrØus (Jun 03)