Tale about a Red Team Exercise and the Forcepoint Endpoint One client

#ForcepointEndpointProtection #vulnerability #redteam #hacking #CyberSecurity #phishing #dlp

Last Modified: 2023.09.06.

You can support my research with a coffee if you find it interesting:

BTC: bc1qxza23cdutkf4pjujy8yfpqp6rd4w4k3wntpp79

Summary

Long story short

While preparing for a Red Team Engagement, I learned about the Forcepoint Endpoint One DLP client (version: 22.03 build 5558). The product contains a limited Python interpreter that can be run by non-administrator users. I managed to remove the restrictions and now I have a functionally perfectly working Python interpreter.

The Python interpreter used is very old (Python 2.5.4) and this version has several vulnerabilities. It is essential that according to the Forcepoint recommendation, the entire installation folder should be added to the exclusion list of AV and monitoring systems. This gave me the idea to use the "secret" interpreter to gain "initial access" to the client with a phishing attack. I successfully implemented this in practice.

I have notified the Forcepoint Security team of the situation in the appropriate manner, as other customers can be exposed as well. I proposed several solutions. Finally, we went through my report in a professional meeting with a good atmosphere.

In my opinion, the restoreability of the interpreter is a problem in itself. If accessing the interpreter is not considered to be a problem, than why restrict the interpreter at all? Interestingly, the "hidden" interpreter of Forcepoint can remain under the radar this way. In the end, Forcepoint decided that the recoverability of the interpreter is not a vulnerability.

Update 2023.06.22: Forcepoint is working on the update of the interpreter. Please check the Forcepoint website for further information.

Recommendation

I believe that with this information, everyone can assess the real risks and, if necessary, take appropriate protection and monitoring steps to ensure that their monitored systems are safe.

For those who want to reduce security risks, I recommend changing the Forcepoint DLP client configuration:

Don't use the default installation path (so a third party doesn't know where the client is installed).
Use a random installation folder.
Use a longer installation path.

These solutions are obviously only effective against external attackers, none of them offer protection in case of local access.

Since I don't have an installer or a suitable environment for testing, I don't have the opportunity to test the individual configurations. I recommend that customers contact the Forcepoint Security team with any such questions, I'm sure they'll be happy to help.

Accepted vulnerability, but no CVE

Later, I found an accepted and high-class vulnerability.

Certain folders in the websense directory can be written by a non-administrator user, folders that are also added to the exception of AV and monitoring systems. Thus, having access (e.g. phishing), it is possible to upload and run any malware.

It is important that Forcepoint's internal testing team also discovered this vulnerability, according to their own analysis, the vulnerability has a high risk rating. Since the internal team found the vulnerability first, it will not become a CVE. The vulnerability is fixed in version 23.04.

Technical Details

I published the technical deatils on vsociety: https://www.vicarius.io/vsociety/posts/3372

Disclosure Timeline

2023.06.02 - Forcepoint informed about the vulnerability.
2023.06.02 - 2023.06.09 - Discussions about the interpreter and the Phishing.
2023.06.10 - I sent the POC code about the vulnerability to Forcepoint.
2023.06.13 - Forcepoint sent me an update.
2023.06.22 - Forcepoint sent me an update. (New publish date + Python interpreter fix.)
2023.09.06 - I published the technical details on vsociety.