Bugtraq mailing list archives
Trend Micro Data Loss Prevention 5.2 Data Leakage
From: nitrØus <nitrousenador () gmail com>
Date: Tue, 01 Jun 2010 20:11:29 -0500
======================================================== Trend Micro Data Loss Prevention 5.2 (formerly LeakProof) Data Leakage through certain HTTP/HTTPS channels nitrØus http://www.brainoverflow.org Mexico ###############################################################I encourage you to take a look to the ilustrated advisory that you would find at
http://www.brainoverflow.org/advisories/TrendMicro_DLP_data_leakage.pdf ############################################################### 1.- VULNERABILITY INFORMATION ======================================================== Vendor: Trend Micro Product Name: Data Loss Prevention (formerly LeakProof). Vulnerable versions: DLP 5.2 and LeakProof <= 5.0 Product URL: http://us.trendmicro.com/us/products/enterprise/data-loss-prevention/index.html Author: nitrØus [ Alejandro Hernandez H. ] Discovery Date: 09/Sept/2009 Disclosure Date: 01/Jun/2010 Attack Vector: Local Attack Channels: Some HTTP/HTTPS non-analyzed channels Impact: Data Theft / Data Leakage / Data Loss Risk: Medium 2.- PRODUCT INFORMATION ========================================================Trend Micro Data Loss Prevention (DLP) is a family of solutions that secure your private data and intellectual property, while reducing complexity and costs. You’ll gain broad coverage, high performance, and deployment flexibility needed
to comply with regulatory mandates that protect employee and customer data.Trend Micro DLP solutions also offer advanced DataDNA fingerprinting to secure
unstructured data and intellectual property and protect all data modalities: data at rest, data in use and data in motion.Trend Micro DLP for Endpoint – non-intrusive monitoring and enforcement client software detects and prevents data loss at each endpoint, across the broadest
variety of threat vectors, whether online or off.Trend Micro DLP Management Server – provides a central point of visibility and control for discovery, fingerprint extraction, policy enforcement, and reporting violations. The server is available as a hardware appliance or software virtual
appliance—for greater flexibility and lower costs. File Types Supported * Recognizes and processes 300+ file types * Microsoft Office files including Office 2007: Microsoft Word, Excel, PowerPoint, Outlook email; Lotus 1-2-3, OpenOffice, RTF, Wordpad, Text, etc. * Graphics files: Visio, Postscript, PDF, TIFF, etc. * Software/engineering files: C/C++, JAVA, Verilog, AutoCAD, etc.* Archived/compressed files: Win ZIP, RAR, TAR, JAR, ARJ, 7Z, RPM, CPIO, GZIP,
BZIP2, Unix/Linux ZIP, LZH, etc. Network/Applications Controlled * Email: Microsoft Outlook, Lotus Notes and SMTP Email * Web mail: MSN/Hotmail, Yahoo, GMail, AOL Mail, and more * Instant Messaging: MSN, AIM, Yahoo, and more * Network Protocols: FTP, HTTP/HTTPS and SMTP Endpoint Devices Controlled* USB, CD/DVD, COM & LPT ports, removable disks, floppy, infrared and imaging
devices, print screen, modems, PCMCIA 3.- DISCLOSURE TIMELINE ======================================================== DD/MM/YYYY 09/09/2009 The vulnerability was discovered. 20/02/2010 Trend Micro was informed about the vulnerability. 21/02/2010 Trend Micro assigned a Service Request Number #123/02/2010 Trend Micro asked to reproduce the vulnerability with certain policies
and Web browsers as well as the details of the testing environment. 23/02/2010 Details sent, including screenshots.25/02/2010 Trend Micro, asked again to retest LeakProof in certain circumstances.
03/03/2010 Service Request #1 automatically closed due to inactivity 16/03/2010 Trend Micro assigned a Service Request Number #216/03/2010 Thread retaken and I explained to Trend Micro about the technical
nature of the flaw.18/03/2010 I got no response, so, I warned them about the soon public disclosure
24/03/2010 Service Request #2 automatically closed due to inactivity 23/03/2010 Trend Micro assigned a Service Request Number #3 23/03/2010 Thread retaken and Trend Micro asked me to debug and log all the endpoint activity31/03/2010 Explained about the results and no answer received from Trend Micro
06/04/2010 Service Request #3 automatically closed due to inactivity21/05/2010 Retested the vulnerability against the latest version of Data Loss
Prevention (5.2) 01/06/2010 Public Disclosure 4.- TESTING ENVIRONMENT ======================================================== 4.1.- Management Server Operating System: CentOS 4.6 (Kernel 2.6.18-92.el5) Management Server: DLP 5.2.1050 4.2.- Endpoints Operating System: Windows VistaTM Business SP1 DLP Agent: 5.2.1053 (Patch applied) 5.- VULNERABILITY EXPLAINATION / EXPLOIT ###############################################################I encourage you to take a look to the ilustrated advisory that you would find at
http://www.brainoverflow.org/advisories/TrendMicro_DLP_data_leakage.pdf ############################################################### 5.1.- Files to protectThe information contained in these files are for demonstration purposes only,
hence, the shown data is not real. - MS Word document (.doc) containing a valid Credit Card Number - MS Word document (.doc) containing the keywords (Boards of Directors) 5.2.- ConstraintFor a successfully exploitation, the "Clipboard" channel must not be selected in order to allow the copy from the original file to the attack vector of your
preference. (Gmail chat, facebook chat, etc.). 5.3.- Configuration of the environment to be tested 5.4.- Test to validate if the DLP works properly 5.5.- Exploitation (Data Leakage Proof-of-Concept)The flaw as such is in the lack of analysis of certain HTTP/HTTPS channels such as Web chats. Two attack vectors were used, Gmail Chat and Facebook Chat, and the
successful exploitation was achieved in both of them.It's important to mention that there could be others attack vectors than those listed above, but for demonstration purposes, I'll only include in this advisory the
popular ones, Gmail and Facebook webchats. 5.6.- Reports after the tests 6.- GREETSI’d like to thank Yess G., F. Vilchis and Raaka_elgaupo for testing... And, as usual, all the dogs in the scene, CRAc, nahual, ran, chr1x, hkm, nediam, Federico L. Bossi Bonin, dex, Cj, crypkey, Bucio, beck, Optix, sunLevy, sdc, tr3w, zeus, Héctor López, alt3kx, underground.org.mx, beavis,
vendetta, Armin, #mendozaaaa. EOF
Current thread:
- Trend Micro Data Loss Prevention 5.2 Data Leakage nitrØus (Jun 02)