Vulnerability Disclosure -Business logic: Unauthorized Data Exfiltration Bypassing DLP @ Microsoft Endpoint DLP

Status: Open (As on 1-June-2024)

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N = 7.1 ( High Severity)

Impacted Component: Microsoft Endpoint Data loss protection solution

Assumption: Enterprise wants to block USB access (to prevent employees steal sensitive documents or prevent accidental ingestion of malwares) and has implemented complete restriction of removal USB media + Audit trail to capture any violations.

Vulnerability Description: It was observed that despite configuring complete restriction for any USB pendrive/USB HDD/Memory Cards/Mobile etc., however, it becomes possible to bypass restriction to USB access via multiple techniques and file can be exchanged outside the laptop/system. VMs can be made by any employee (even without admin) and it is very difficult for IT team to block, which makes data exfiltration over USB very easy. One can also make use of ADB to exchange files.

Impact:
Loss of data confidentiality/Integrity (Sensitive info. can be stolen, arbitrary code can be executed). Defying sole concept of Data loss prevention, while attempting USB restriction.

Exploitability Rational:
User (attacker) can have any admin/non-admin privilege. No logs would be created since base OS will not have control within the VM, which makes forensics results inaccurate. ADB can be downloaded easily and doesn’t need admin as no installation involved, simply needs to connect Android phone & with ADB push/pull can move files easily. (even a non-admin can transfer files). Moreover, backend dashboard would not get any alerts of such file transfer.

(Applicable to all Android versions from old till latest. Verified on Win10 Enterprise 19045, Applicable to all Win machines)

Steps to Reproduce:

Method1: Bypass USB drive restriction in presence of DLP solution via VM

1. Install any VM in same host where USB restriction is implemented.
2. Attach USB to that VM
3. Share drive of base host machine to the VM
4. Copy bidirectional files to/from VM via the USB

Method2: Bypass USB drive restriction via ADB

1. Connect Android device over USB.

2. Download platform-tools containing ADB for android (if first time use ADB granting can be done easily, in presence of developer settings).

3. adb push c:\sensitivefolder\file.txt \sdcard\copiedfile.txt

Take Away:

We should be always ready for various tricks due to client side security controls. (there is no silver bullet to solve such issues)

To make things a little difficult, keep track of data bus at very low level to see file transfer to/from USB. OR develop VM provisioning scheme.

Initial Disclosure Feb 2022, remains unfixed until today as no concrete solution available with MS. With justification that it is insider attack and should be handled via defense in depth. And protection against ADB isn’t promised as part of the solution and data exchange this way is by design.