========================================================
Trend Micro Data Loss Prevention 5.2 (formerly LeakProof)
Data Leakage through certain HTTP/HTTPS channels
nitrØus
http://www.brainoverflow.org
Mexico
###############################################################
I encourage you to take a look to the ilustrated advisory that you would
find at
http://www.brainoverflow.org/advisories/TrendMicro_DLP_data_leakage.pdf
###############################################################
1.- VULNERABILITY INFORMATION
========================================================
Vendor: Trend Micro
Product Name: Data Loss Prevention (formerly LeakProof).
Vulnerable versions: DLP 5.2 and LeakProof <= 5.0
Product URL:
http://us.trendmicro.com/us/products/enterprise/data-loss-prevention/index.html
Author: nitrØus [ Alejandro Hernandez H. ]
Discovery Date: 09/Sept/2009
Disclosure Date: 01/Jun/2010
Attack Vector: Local
Attack Channels: Some HTTP/HTTPS non-analyzed channels
Impact: Data Theft / Data Leakage / Data Loss
Risk: Medium
2.- PRODUCT INFORMATION
========================================================
Trend Micro Data Loss Prevention (DLP) is a family of solutions that
secure your
private data and intellectual property, while reducing complexity and
costs.
You’ll gain broad coverage, high performance, and deployment flexibility
needed
to comply with regulatory mandates that protect employee and customer data.
Trend Micro DLP solutions also offer advanced DataDNA fingerprinting to
secure
unstructured data and intellectual property and protect all data modalities:
data at rest, data in use and data in motion.
Trend Micro DLP for Endpoint – non-intrusive monitoring and enforcement
client
software detects and prevents data loss at each endpoint, across the
broadest
variety of threat vectors, whether online or off.
Trend Micro DLP Management Server – provides a central point of
visibility and
control for discovery, fingerprint extraction, policy enforcement, and
reporting
violations. The server is available as a hardware appliance or software
virtual
appliance—for greater flexibility and lower costs.
File Types Supported
* Recognizes and processes 300+ file types
* Microsoft Office files including Office 2007: Microsoft Word, Excel,
PowerPoint, Outlook email; Lotus 1-2-3, OpenOffice, RTF, Wordpad, Text, etc.
* Graphics files: Visio, Postscript, PDF, TIFF, etc.
* Software/engineering files: C/C++, JAVA, Verilog, AutoCAD, etc.
* Archived/compressed files: Win ZIP, RAR, TAR, JAR, ARJ, 7Z, RPM, CPIO,
GZIP,
BZIP2, Unix/Linux ZIP, LZH, etc.
Network/Applications Controlled
* Email: Microsoft Outlook, Lotus Notes and SMTP Email
* Web mail: MSN/Hotmail, Yahoo, GMail, AOL Mail, and more
* Instant Messaging: MSN, AIM, Yahoo, and more
* Network Protocols: FTP, HTTP/HTTPS and SMTP Endpoint Devices Controlled
* USB, CD/DVD, COM & LPT ports, removable disks, floppy, infrared and
imaging
devices, print screen, modems, PCMCIA
3.- DISCLOSURE TIMELINE
========================================================
DD/MM/YYYY
09/09/2009 The vulnerability was discovered.
20/02/2010 Trend Micro was informed about the vulnerability.
21/02/2010 Trend Micro assigned a Service Request Number #1
23/02/2010 Trend Micro asked to reproduce the vulnerability with certain
policies
and Web browsers as well as the details of the testing environment.
23/02/2010 Details sent, including screenshots.
25/02/2010 Trend Micro, asked again to retest LeakProof in certain
circumstances.
03/03/2010 Service Request #1 automatically closed due to inactivity
16/03/2010 Trend Micro assigned a Service Request Number #2
16/03/2010 Thread retaken and I explained to Trend Micro about the
technical
nature of the flaw.
18/03/2010 I got no response, so, I warned them about the soon public
disclosure
24/03/2010 Service Request #2 automatically closed due to inactivity
23/03/2010 Trend Micro assigned a Service Request Number #3
23/03/2010 Thread retaken and Trend Micro asked me to debug and log all the
endpoint activity
31/03/2010 Explained about the results and no answer received from Trend
Micro
06/04/2010 Service Request #3 automatically closed due to inactivity
21/05/2010 Retested the vulnerability against the latest version of Data
Loss
Prevention (5.2)
01/06/2010 Public Disclosure
4.- TESTING ENVIRONMENT
========================================================
4.1.- Management Server
Operating System: CentOS 4.6 (Kernel 2.6.18-92.el5)
Management Server: DLP 5.2.1050
4.2.- Endpoints
Operating System: Windows VistaTM Business SP1
DLP Agent: 5.2.1053 (Patch applied)
5.- VULNERABILITY EXPLAINATION / EXPLOIT
###############################################################
I encourage you to take a look to the ilustrated advisory that you would
find at
http://www.brainoverflow.org/advisories/TrendMicro_DLP_data_leakage.pdf
###############################################################
5.1.- Files to protect
The information contained in these files are for demonstration purposes
only,
hence, the shown data is not real.
- MS Word document (.doc) containing a valid Credit Card Number
- MS Word document (.doc) containing the keywords (Boards of Directors)
5.2.- Constraint
For a successfully exploitation, the "Clipboard" channel must not be
selected
in order to allow the copy from the original file to the attack vector
of your
preference. (Gmail chat, facebook chat, etc.).
5.3.- Configuration of the environment to be tested
5.4.- Test to validate if the DLP works properly
5.5.- Exploitation (Data Leakage Proof-of-Concept)
The flaw as such is in the lack of analysis of certain HTTP/HTTPS
channels such
as Web chats. Two attack vectors were used, Gmail Chat and Facebook
Chat, and the
successful exploitation was achieved in both of them.
It's important to mention that there could be others attack vectors than
those listed
above, but for demonstration purposes, I'll only include in this
advisory the
popular ones, Gmail and Facebook webchats.
5.6.- Reports after the tests
6.- GREETS
I’d like to thank Yess G., F. Vilchis and Raaka_elgaupo for testing...
And, as usual, all the dogs in
the scene, CRAc, nahual, ran, chr1x, hkm, nediam, Federico L. Bossi
Bonin, dex, Cj, crypkey,
Bucio, beck, Optix, sunLevy, sdc, tr3w, zeus, Héctor López, alt3kx,
underground.org.mx, beavis,
vendetta, Armin, #mendozaaaa.
EOF