Vulnerability Disclosure -Business logic: Unauthorized Data Exfiltration Bypassing DLP @ Zoho Device Control Plus

Status: Open (As on 17-Dec-2022)

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N = 7.1 ( High Severity)

CVE-2022-47577

Impacted Component: Device Control Plus (Desktop App)

Assumption: Enterprise wants to block USB access (to prevent employees steal sensitive documents or prevent accidental ingestion of malwares) and has implemented complete restriction of removal USB media + Audit trail to capture any violations.

Vulnerability Description: It was observed that despite configuring complete restriction for any USB pendrive/USB HDD/Memory Cards/Mobile etc., however, it becomes possible to bypass restriction to USB via making use of VM and file can be exchanged outside the laptop/system. VMs can be made by any employee (even without admin) and it is very difficult for IT team to block, which makes data exfiltration over USB very easy. One can also make use of ADB to exchange files. Or do safeboot to bypass restriction.

Impact:
Loss of data confidentiality/Integrity (Sensitive info. can be stolen, arbitrary code can be executed). Defying sole concept of Data loss prevention, while attempting USB restriction.

Exploitability Rational:
User (attacker) can have any admin/non-admin privilege. No logs would be created since base OS will not have control within the VM, which makes forensics results inaccurate. ADB can be downloaded easily and doesn’t need admin as no installation involved, simply needs to connect Android phone & with ADB push/pull can move files easily. (even a non-admin can transfer files). Moreover, server would not get any alerts of such file transfer.

(Applicable to all Android versions from old till latest. Verified on Win10 Enterprise 19045, Applicable to all *nix & Win machines)

Steps to Reproduce:

Method1:

1. Install any VM in same host where USB restriction is implemented.
2. Attach USB to that VM
3. Share drive of base host machine to the VM
4. Copy bidirectional files to/from VM via the USB

Method2:

1. Long press Shift key while OS boots or from elevated admin cmd.exe run: C:\Windows\System32\bcdedit.exe /set safeboot network
2. Reboot will boot Windows in safemode where the USB restriction agent will not start.
3. Login as admin/non-admin user and connect USB drive
4. Copy bidirectional files to/from VM via the USB

Method3:

1. Connect Android device over USB.

2. Download platform-tools containing ADB for android (if first time use ADB granting can be done easily, in presence of developer settings).

3. adb push c:\sensitivefolder\file.txt \sdcard\copiedfile.txt

Take Aways:

We should be always ready for various tricks due to client side security controls. (there is no silver bullet to solve such issues)

To make things a little difficult, keep track of data bus at very low level to see file transfer to/from USB. OR develop VM provisioning scheme.