Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Trend Micro Data Loss Prevention 5.2 Data Leakage
From: nitrØus <nitrousenador () gmail com>
Date: Wed, 02 Jun 2010 19:05:11 -0500

========================================================
Trend Micro Data Loss Prevention 5.2 (formerly LeakProof)
Data Leakage through certain HTTP/HTTPS channels

nitrØus
http://www.brainoverflow.org
Mexico

################################################################################
I encourage you to take a look to the illustrated advisory that you 
would find at
http://www.brainoverflow.org/advisories/TrendMicro_DLP_data_leakage.pdf
################################################################################

1.- VULNERABILITY INFORMATION
========================================================
Vendor: Trend Micro
Product Name: Data Loss Prevention (formerly LeakProof).
Vulnerable versions: DLP 5.2 and LeakProof <= 5.0
Product URL:
http://us.trendmicro.com/us/products/enterprise/data-loss-prevention/index.html
Author: nitrØus [ Alejandro Hernandez H. ]
Discovery Date: 09/Sept/2009
Disclosure Date: 01/Jun/2010
Attack Vector: Local
Attack Channels: Some HTTP/HTTPS non-analyzed channels
Impact: Data Theft / Data Leakage / Data Loss
Risk: Medium


2.- PRODUCT INFORMATION
========================================================
Trend Micro Data Loss Prevention (DLP) is a family of solutions that 
secure your
private data and intellectual property, while reducing complexity and 
costs.
You’ll gain broad coverage, high performance, and deployment flexibility 
needed
to comply with regulatory mandates that protect employee and customer data.
Trend Micro DLP solutions also offer advanced DataDNA fingerprinting to 
secure
unstructured data and intellectual property and protect all data modalities:
data at rest, data in use and data in motion.

Trend Micro DLP for Endpoint – non-intrusive monitoring and enforcement 
client
software detects and prevents data loss at each endpoint, across the 
broadest
variety of threat vectors, whether online or off.

Trend Micro DLP Management Server – provides a central point of 
visibility and
control for discovery, fingerprint extraction, policy enforcement, and 
reporting
violations. The server is available as a hardware appliance or software 
virtual
appliance—for greater flexibility and lower costs.

File Types Supported
* Recognizes and processes 300+ file types
* Microsoft Office files including Office 2007: Microsoft Word, Excel,
PowerPoint, Outlook email; Lotus 1-2-3, OpenOffice, RTF, Wordpad, Text, etc.
* Graphics files: Visio, Postscript, PDF, TIFF, etc.
* Software/engineering files: C/C++, JAVA, Verilog, AutoCAD, etc.
* Archived/compressed files: Win ZIP, RAR, TAR, JAR, ARJ, 7Z, RPM, CPIO, 
GZIP,
BZIP2, Unix/Linux ZIP, LZH, etc.

Network/Applications Controlled
* Email: Microsoft Outlook, Lotus Notes and SMTP Email
* Web mail: MSN/Hotmail, Yahoo, GMail, AOL Mail, and more
* Instant Messaging: MSN, AIM, Yahoo, and more
* Network Protocols: FTP, HTTP/HTTPS and SMTP Endpoint Devices Controlled
* USB, CD/DVD, COM & LPT ports, removable disks, floppy, infrared and 
imaging
devices, print screen, modems, PCMCIA


3.- DISCLOSURE TIMELINE
========================================================

DD/MM/YYYY
09/09/2009 The vulnerability was discovered.
20/02/2010 Trend Micro was informed about the vulnerability.
21/02/2010 Trend Micro assigned a Service Request Number #1
23/02/2010 Trend Micro asked to reproduce the vulnerability with certain 
policies
and Web browsers as well as the details of the testing environment.
23/02/2010 Details sent, including screenshots.
25/02/2010 Trend Micro, asked again to retest LeakProof in certain 
circumstances.
03/03/2010 Service Request #1 automatically closed due to inactivity
16/03/2010 Trend Micro assigned a Service Request Number #2
16/03/2010 Thread retaken and I explained to Trend Micro about the 
technical
nature of the flaw.
18/03/2010 I got no response, so, I warned them about the soon public 
disclosure
24/03/2010 Service Request #2 automatically closed due to inactivity
23/03/2010 Trend Micro assigned a Service Request Number #3
23/03/2010 Thread retaken and Trend Micro asked me to debug and log all the
endpoint activity
31/03/2010 Explained about the results and no answer received from Trend 
Micro
06/04/2010 Service Request #3 automatically closed due to inactivity
21/05/2010 Retested the vulnerability against the latest version of Data 
Loss
Prevention (5.2)
01/06/2010 Public Disclosure


4.- TESTING ENVIRONMENT
========================================================
4.1.- Management Server
Operating System: CentOS 4.6 (Kernel 2.6.18-92.el5)
Management Server: DLP 5.2.1050

4.2.- Endpoints
Operating System: Windows VistaTM Business SP1
DLP Agent: 5.2.1053 (Patch applied)


5.- VULNERABILITY EXPLAINATION / EXPLOIT

########################################################
I encourage you to take a look to the illustrated advisory that you 
would find at
http://www.brainoverflow.org/advisories/TrendMicro_DLP_data_leakage.pdf
########################################################

5.1.- Files to protect
The information contained in these files are for demonstration purposes 
only,
hence, the shown data is not real.

- MS Word document (.doc) containing a valid Credit Card Number
- MS Word document (.doc) containing the keywords (Boards of Directors)

5.2.- Constraint
For a successfully exploitation, the "Clipboard" channel must not be 
selected
in order to allow the copy from the original file to the attack vector 
of your
preference. (Gmail chat, facebook chat, etc.).

5.3.- Configuration of the environment to be tested

5.4.- Test to validate if the DLP works properly

5.5.- Exploitation (Data Leakage Proof-of-Concept)
The flaw as such is in the lack of analysis of certain HTTP/HTTPS 
channels such
as Web chats. Two attack vectors were used, Gmail Chat and Facebook 
Chat, and the
successful exploitation was achieved in both of them.
It's important to mention that there could be others attack vectors than 
those listed
above, but for demonstration purposes, I'll only include in this 
advisory the
popular ones, Gmail and Facebook webchats.

5.6.- Reports after the tests


6.- GREETS
I’d like to thank Yess G., F. Vilchis and Raaka_elgaupo for testing... 
And, as usual, all the dogs in
the scene, CRAc, nahual, ran, chr1x, hkm, nediam, Federico L. Bossi 
Bonin, dex, Cj, crypkey,
Bucio, beck, Optix, sunLevy, sdc, tr3w, zeus, Héctor López, alt3kx, 
underground.org.mx, beavis,
vendetta, Armin, #mendozaaaa.

EOF

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Trend Micro Data Loss Prevention 5.2 Data Leakage nitrØus (Jun 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault