The Kitchen's Finally Burned Down: DLP Security Bakeoff

Transcript

1. THE KITCHEN'S FINALLY BURNED DOWN: DLP SECURITY BAKEOFF BLACK HAT

   ASIA 2016 ZACH LANIER & KELLY LUM

2. AGENDA ▸ DLP overview ▸ Targets / Component breakdown ▸

   Assessment criteria/Methodology ▸ Findings (by target) ▸ Conclusion / Q&A

3. WHO ARE *WE*? ▸ Zach Lanier, Director of Research at

   Cylance ▸ Old net, web/app, mobile/embedded security research/pen test type ▸ Co-author, "Android Hacker's Handbook" (Wiley, April 2014) ▸ Kelly Lum, Security Engineer at Tumblr ▸ “There’s a bird. Bird. A bird.” ▸ Adjunct professor of Application Security at NYU

4. WHY DLP? ▸ Used to be a hot-button topic ▸

   Panacea to solve all data leakage woes ▸ “Keeps honest people from doing dumb things” ▸ Data breaches and “files falling off the back of a digital truck” spurred DLP

5. WHY WE CHOSE TO LOOK AT DLP ▸ Curious about

   attack surface, reliability, etc. ▸ Like other security products, DLP agents/appliances often have high privileges or are “ideally” situated (i.e. see all the traffic, monitor/access all the things) ▸ Testing the “security of security products” is always interesting ▸ Big vendor buys small vendor, integrates then shelves them…meaning security is often overlooked


6. PREVIOUS (NOT US) RESEARCH ▸ A bunch of blog posts

   and whitepapers by Securosis ▸ “Defeating DLP”, Matasano, BlackHat USA 2007 ▸ “Gone in 60 Minutes: Stealing Sensitive Data from Thousands of Systems Simultaneously with OpenDLP”, Andrew Gavin, DEFCON 19 ▸ Many others...

7. DLP ARCHITECTURE EXAMPLE

8. DLP ARCHITECTURE EXAMPLE

9. DLP WORKFLOW EXAMPLE - TREND MICRO

10. TARGETS

11. ROUND ONE: "BIG"* VENDORS Trend Micro DLP Management Appliance 5.6

    Linux DLP Endpoint Agent 5.6 Windows Sophos Astaro UTM Appliance 9.201 Linux Sophos Enterprise Console 5.2.1r2 Windows Sophos Endpoint Security N/A Windows Websense TRITON Management Server 7.8.3 Windows Data Protector Endpoint Agent 7.8.3 Windows, Linux, OS X Data Security Protector Appliance 7.8.3 Linux OpenDLP OpenDLP 0.5.1 Linux Vendor Product Version OS * - and an open source product, for good measure

12. TREND MICRO ▸ Windows endpoint agent - monitoring and policy

    enforcement on client machines ▸ Acts like a “legitimate” rootkit and hides itself ▸ Network agent - virtual appliance; monitors network traffic ▸ Remote crawler - for digital assets on machines not on corporate network ▸ Management server - Linux-based virtual appliance

13. WEBSENSE ▸ TRITON management server - unified management console; Apache

    Coyote on Windows, backed by MSSQL DB ▸ Windows, OS X, Linux endpoint agents ▸ File and network drivers ▸ Can also monitor clipboard operations ▸ Linux-based “Protector” appliance ▸ Restricted “admin” shell ▸ Crawler agents can index/identify sensitive documents

14. SOPHOS ▸ Enterprise Management Console - fat/native, Windows-based unified management

    console ▸ Whole lotta .NET… ▸ Sophos endpoint security - antivirus + DLP + … (Windows, OS X, Linux)

15. OPENDLP ▸ Typically Linux virtual appliance ▸ Apache + a

    lot of Perl ▸ Windows agent ▸ File system crawler and document parser (PCRE-based) ▸ SSHFS-based crawler ▸ And some Metasploit modules (wtf?)

16. ON THE UBIQUITY OF KEYVIEW… ▸ “kvoop” binary (“KeyView OOP”)

    showed up a lot ▸ Part of KeyView Filter SDK, used for parsing and normalizing various data and document formats ▸ Used in numerous DLP products, messaging servers, and "big data" platforms ▸ e.g. “EPClassifier” in Websense spawns kvoop processes to handle documents

17. BECAUSE "PR" AND "LEGAL", THE VENDORS/ PRODUCT NAMES (FOR OUR

    SECOND ROUND OF RESEARCH) HAVE BEEN CHANGED FOR THE PURPOSES OF THIS PRESENTATION DISCLAIMER :(

18. ROUND TWO: NICHE/SMALL(ER) VENDORS Alpha Alpha DLP Management Virtual Appliance

    Linux Alpha DLP Endpoint Agent Windows Bravo Bravo DLP Management Server Windows Bravo DLP Endpoint Agent Windows, OS X Charlie Charlie DLP Management Virtual Appliance Linux Charlie DLP Agent Windows, Linux, OS X Dingus Dingus DLP Central Console Virtual Appliance Linux Dingus Network DLP Virtual Appliance Linux Dingus DLP Endpoint Agent Windows Vendor Product OS

19. ALPHA DLP ▸ An amalgamation of everything you hate: ▸

    Previously OSS product, closed after acquisition! ▸ Admin panel entirely in Flash! ▸ Windows agent is a horrifying Frankenstein of: ▸ .NET...Java....and Erlang. ▸ Uses Action Message Format for communications! ▸ Backend: Apache + Jetty + MySQL

20. BRAVO DLP ▸ Windows-based management console (MMC snap-in) ▸MS SQL

    DB backend ▸ Windows-based content monitoring server (separate service from management console) ▸ Windows endpoint agent ▸All sorts of drivers (NDIS, TDI, FS, etc.) and hooks ▸OS X endpoint agent ▸Similar to Windows agent, but with less support for certain operations ▸Tons of open source / free libs ▸Boost, FreeDCE, etc.

21. CHARLIE DLP ▸ Linux (Ubuntu) virtual appliance ▸ Windows endpoint

    agent ▸File monitor / scanner service ▸Clipboard monitor ▸Net traffic / URL monitoring ▸ Linux endpoint agent (Ubuntu/Debian) ▸File monitor / scanner daemon ▸GNOME / KDE notification tray thing ▸ OS X endpoint agent ▸Didn't really evaluate this ▸Also does a bunch of MDM-type stuff, but didn't look at this

22. DINGUS DLP (WHICH IS A TOTALLY HYPOTHETICAL VENDOR/PRODUCT) ▸ Linux

    (CentOS) virtual appliance (management) ▸ Dingus Network DLP Appliance ▸Linux (CentOS) virtual appliance ▸In-line, tap/SPAN, etc. to monitor (or proxy) traffic ▸ Windows endpoint agent ▸Usual rigamarole - monitor clipboard, filesystem, network traffic/URLs, etc.

23. ASSESSMENT CRITERIA/ METHODOLOGY

24. METHODOLOGY Network Appliance Parsers (docs and configuration) Invalid/mangled files Update/Deployment

    mechanism Protocol analysis; crypto/signing Operating System Configuration auditing Hardening practices Endpoints/Agents Parsers (docs and configuration) Invalid/mangled files Update/Deployment mechanism Protocol analysis; crypto/signing Drivers and Services Hardening practices/config Fuzzing (i.e. IOCTLs, network, etc.) Management Server Web Server/Web App OWASP Top 10 type stuff Database Configuration auditing Sensitive data storage Operating System Configuration auditing Hardening practices Target Component Test(s)

25. FINDINGS

26. GENERAL OBSERVATIONS ▸ Little to no hardening on (Linux) appliances

    ▸ Many services run as root ▸ Lack of exploit mitigations (beyond intrinsic/baseline OS mitigations) ▸ Highly privileged endpoint agent software out of the box (root, LOCALSYSTEM) ▸ General absence of security best practices ▸ Comms encryption, webappsec101, etc. ▸ Occasional bug inheritance ▸Outdated JREs, FreeDCE, etc.

27. FINDINGS - TREND MICRO

28. TREND MICRO - XSS

29. TREND MICRO - CSRF

30. TREND MICRO - PLAINTEXT CRAWLER COMMS

31. FINDINGS - SOPHOS

32. SOPHOS MANAGER/ENDPOINT: WHAT WE DIDN’T FIND ▸ Majority of code

    implemented in .NET ▸ Utilizes most of the MS core libraries, which means: ▸ DB best practices ▸ Contextualized Input/Output ▸ Standardized Encryption Libraries

33. SOPHOS/ASTARO UTM: NOT A WHOLE LOT… ▸ Most services chroot’ed

    (eh…), drop privs ▸ Web app fairly clean (just a few really low impact “issues”) ▸ Tight network- and login-access control restrictions

34. FINDINGS - OPENDLP

35. OPENDLP - CSRF

36. FINDINGS - WEBSENSE

37. ON WEBSENSE POLICIES... ▸ Websense DLP policy objects include keywords,

    regexes, etc. ▸ Regex entries are actually Python pickled objects ▸ TRITON management server encrypts, bundles policies/files, pushes to agents and appliances

38. WEBSENSE PROTECTOR & ENDPOINT - CODE EXEC Say a local

    admin on TRITON server replaces “.pic” file with custom pickled objects… Our awful
 pickle POC;
 after
 overwriting a
 “legitimate”
 policy file Reverse shell from Protector
 after policy update

39. FINDINGS - ALPHA DLP

40. ALPHA DLP - SERVER/ ADMIN FINDINGS ▸ The Good: ▸

    No CSRF ▸ No obvious XSF ▸ Proper use of Hibernate - no SQLi ▸ The Bad: ▸ No authentication on MySQL database ▸ User hashes are not salted ▸ Frequent crashes

41. ALPHA DLP - AGENT FINDINGS ▸ Heavy use of marshalling

    between Java and Erlang ▸ Potential heap corruption? ▸ Packaged an oooooold JRE
 
 
 ▸ Path manipulation in accessing Erlang rules ▸ No assembly signing on .NET assemblies… #waitforit

42. ALPHA DLP - AGENT MODIFICATION

43. FINDINGS - BRAVO DLP

44. BRAVO DLP ▸ Probably the most complex/sophisticated of all the

    ones we analyzed ▸ Also the one we most heavily reversed ▸ tl;dr - Spent too much time, found very little, got lazy moved on ▸ Use of DCERPC for agent<->server comms is...good? ▸ Benefit from NTLMSSP and "packet privacy" (encrypted) ▸ Except for OS X agent, which is all plaintext comms

45. FINDINGS - CHARLIE DLP

46. CHARLIE DLP - MANAGEMENT SERVER ▸ No anti-CSRF tokens ▸

    Pretty much all operations are done REST-fully ▸ Example: CSRF an admin, delete policy by ID

47. CHARLIE DLP - MANAGEMENT SERVER ▸ Unauthenticated registration of new

    (or arbitrary) endpoint agents via SOAP API ▸ Also injecting CDATA with JS rendered in admin console Super amazing JS alert() skillz

48. FINDINGS - DINGUS DLP

49. BECAUSE "PR" AND "LEGAL", THE FOLLOWING VENDOR, DESPITE BEING REDACTED,

    SHOULD BE CONSIDERED *TOTALLY HYPOTHETICAL* (ALSO, WE HAND DREW SOME SCREENSHOTS BECAUSE, AGAIN, *TOTALLY HYPOTHETICAL*) ADDITIONAL DISCLAIMER :(

50. DINGUS - NETWORK DLP APPLIANCE ▸ Support account that's TOTALLY

    not a backdoor ▸ Reverse SSHes to some Eastern European- based SSH proxy ▸ Same (non-password protected) DSA key across every appliance ▸ Allows "support" to log in as root on appliance ▸ Invoked from web UI ▸ Combined with CSRF = reverse tunnel wherever

51. DINGUS - NETWORK DLP APPLIANCE CSRF + command injection Note

    the semicolon

52. DINGUS - NETWORK DLP APPLIANCE CSRF + command injection

53. DINGUS - NETWORK DLP APPLIANCE Numerous whitelisted (NOPASSWD) sudoers entries

    for apache arbitrary package
 installation, anyone?

54. DINGUS DLP - CENTRAL CONSOLE ▸ Unauthenticated DB management script

    ▸ Clear DB, rebuild, update, etc.

55. DINGUS - NETWORK DLP/CENTRAL CONSOLE ▸ Synchronization channel is just

    straight up plaintext PostgreSQL comms...with simple auth ▸ Just username + DB name (HYPOTHETICAL example: appliance:appliance) ▸ Pushes ACLs and rules down to appliance from Console (Yes, that is a hand drawn Wireshark “screenshot”)

56. A NOTE ON DLP BYPASSES

57. EVASION IS INEVITABLE ▸ Unsupported or obscure file formats, protocols,

    or unexpected network behavior ▸ Think: fragment/datagram reassembly ordering ▸ Obfuscated or encrypted files ▸ Steganography, anyone? ▸ How many of your users have elevated (admin, sudo/root) privileges? ▸ e.g. disable endpoint agents

58. ▸ Defenses add weaknesses ▸ "Caveat emptor" ▸ Every new

    piece of infrastructure is additional attack surface ▸ Security companies should know better ▸ If a scanner can find it, what’s your excuse? ▸ Know what/who you’re defending against ▸ An advanced insider probably has own abilities BLACK HAT ASIA TAKEAWAYS

59. QUESTIONS? [email protected] @aloria [email protected] @quine