Vulnerability Disclosure -Browser Control Internet Restriction Bypass @ CurrentWare

Status: Open (As on 01-June-2024)

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H = 5.5 ( Medium Severity)

Multiple Vulnerabilities

Impacted Component: CurrentWare v9.0.2.0 (Windows Desktop App)

Assumption: Enterprise wants to restrict internet access to end users in the system and implement block rules per need in the system via Currentware browser control solution.

Configuration: Windows agent based internet control configured to restrict the internet access. Setting up Browser Control.

Vulnerability Description: When agent is installed in client machine and configured from CurrentWare Server to completely block the internet, normally when attempting it in browser it shows blocked by administrator message. However, there were so many alternate methods via which it can be bypassed easily and allowing complete unrestricted internet access in the system.

Impact:
Unrestricted internet access despite restrictions as configured by design, causing Loss of Availability. (As it defies the sole purpose of internet restriction).

Exploitability Rational:
User (attacker) can have any admin/non-admin privilege to bypass restrictions. End user who wants to access the internet, simply needs to configure HTTP proxy from browser settings and make use of any Proxying tool like ZAP/Burp Suite etc. OR simply needs to rename the executable file name of the browser (even a non-admin can do by copying browser icon to any other writable directory).

(Verified on Win10 Enterprise 19045, Applicable to all Win versions)

Steps to Reproduce:

Method1: Bypassing Browser Control Internet restriction via Proxy

1. Once the Client is configured to block complete internet access and the agent has received an update, confirm that the browser would give an warning upon accessing any website.
2. Open Browser Settings (all browsers supported) & navigate to HTTP Proxy settings.
3. For instance put localhost and port 8080 & start ZAP/Burp listening on the same port.
4. Now browse all internet websites to gain complete unrestricted access.

Method2: Bypassing Browser Control Internet restriction via Browser file name change

1. Once the Client is configured to block complete internet access and the agent has received an update, confirm that the browser would give an warning upon accessing any website.
2. Navigate to the browser installation directory.
3. Change the name of the browser executable to any other name.

Method3: Bypassing blocked hostnames via direct IP access

1. Once the Client is configured to block selected domain access and the agent has received an update, confirm that the browser would give an warning upon accessing those websites.
2. Perform ICMP ping to resolve dns for that blocked host.
3. Replace the IP address instead of the domain name and access the website e.g. http://demo.testfire.net with http://65.61.137.117

Method4:

There multiple other techniques like safemode, Powershell, making a webview program via tools like Visual Studio, etc.

Take Away:

We should be always ready for various tricks due to client side security controls. (there is no silver bullet to solve such issues)

Deploy Network tools which can monitor and restrict internet restrictions.

To make things a little difficult, adapt whitelisting approach over blacklisting approach.

Make use of rules based on deep packet inspection.