DeviceLock 8.3 DLP system: a year has passed, Billy, but you haven't changed at all
In the footsteps of more than last year's article I present a sad continuation.
In the fall of 2018, I came across a comment from one of the product creators and decided to see if the holes in the new version were fixed and try to find new ones.
As a result, the following were found:
1. The ability to remove / rename drivers is eliminated by installing tighter access rights to them.
')
This decision was uniquely suggested. It was the only plus, then come the minuses:
2. Protection of system files is left "as is", probably with the aim of ensuring the operability of the mechanisms for updating the operating system.
As a result, deleting / renaming the system file and dropping the service in this way can be just as easy.
We try to erase the completely unnecessary winspool.drv, on which dlservice.exe depends, and reboot.
We log in, we see in the task manager that the service did not start and ... oppa! Blue screen!
Reboot, enter and again blue! We return the file to its place, reboot. The service is running, nothing falls! That is because the cunning, the defense done! Bravo? - Do not hurry!
The first thing that catches your eye is the presence of a delay between entering and dropping into the blue screen.
The attacker can turn the dark affairs, but very quickly.
However, at the speeds of USB3 and Thunderbolt interfaces, you can manage to throw a hundred or two megabytes to the removable drive in that very few seconds between logging in and dropping.
The second is that the system does not crash if you do not perform a login. Those. cling to the network from your laptop, share the C $ and calmly take what you need, because everything, including the firewall, is lying! The main thing is, in the thorns ..., TFU !, do not enter the remote desktop and do not login - it will fall again!
And finally, the third one is trying instead of the system shell (by default, of course, the explorer), slip the script copying something big, for example, the client base onto a USB flash drive (and yes, the registry key is not closed for editing!).
The effect is funny - the blue screen does not appear even 10 minutes after the work of our malicious script!
Super protection responds to the conductor! To test it, simply launch it and get a blue screen! Those. just disable the standard shell, and the protection collapses after deleting the system file!
To developers from Smart Line, you see, it is not known that the standard file open dialog has almost complete Explorer file copying functionality and is available
immediately after logging in from the Task Manager!
As a result, we have exactly what I assumed in the previous article: additional screws were screwed into the fence, but this didn’t strengthen the defense.
It is surprising that such a clumsy solution is offered by a company that positions itself as a developer of global protection systems!
Moreover, ordinary users are thought of as the last thing to do, because in the event of any failure with damage to system files, this miracle protection simply paralyzes the computer’s normal operation and a lot of time will be spent on recovery if there are no qualified personnel nearby.
While picking on this, I accidentally discovered another joke in the style of Apple: the control console can be entered as an ordinary user with an empty password! This is possible if its password matches the password of one of the selected DeviceLock admins.
Naturally, on my test virtualke all passwords are 8 units.
The approach of the developers just hit - it's a Microsoft glitch and we are not going to fix it. The question, why use the problem component, hung in the air.
I also noticed that the mechanisms for strengthening access rights are no less clumsy: when installing enhanced self-defense, templates are applied without checking the results. If in some way the file is deleted or the rights are set in advance so that the installer cannot change them, then there will be no reaction. Errors will not appear, and after a reboot, either the service will not start, or the files will remain available for modification / deletion. And this is the work of security professionals?
As a result, we find that instead of changing the extremely unsuccessful product architecture, the developer limited himself to clumsy, ineffective patches and continued development in an extensive style. The service has become even more and the exe file already takes 18Mb instead of 13!
The management of SmartLine reacted sluggishly to the proposal for cooperation to eliminate the discovered, which is even more surprising. I did not think that the principle “why improve, people hawala!” Operates in a serious IT-company.
How many more problems this product has, we can only guess, because poking around for free is just lazy. It is extremely not recommended to use it, as was mentioned more than a year ago.
In the fall of 2018, I came across a comment from one of the product creators and decided to see if the holes in the new version were fixed and try to find new ones.
As a result, the following were found:
1. The ability to remove / rename drivers is eliminated by installing tighter access rights to them.
')
This decision was uniquely suggested. It was the only plus, then come the minuses:
2. Protection of system files is left "as is", probably with the aim of ensuring the operability of the mechanisms for updating the operating system.
As a result, deleting / renaming the system file and dropping the service in this way can be just as easy.
We try to erase the completely unnecessary winspool.drv, on which dlservice.exe depends, and reboot.
We log in, we see in the task manager that the service did not start and ... oppa! Blue screen!
Reboot, enter and again blue! We return the file to its place, reboot. The service is running, nothing falls! That is because the cunning, the defense done! Bravo? - Do not hurry!
The first thing that catches your eye is the presence of a delay between entering and dropping into the blue screen.
The attacker can turn the dark affairs, but very quickly.
However, at the speeds of USB3 and Thunderbolt interfaces, you can manage to throw a hundred or two megabytes to the removable drive in that very few seconds between logging in and dropping.
The second is that the system does not crash if you do not perform a login. Those. cling to the network from your laptop, share the C $ and calmly take what you need, because everything, including the firewall, is lying! The main thing is, in the thorns ..., TFU !, do not enter the remote desktop and do not login - it will fall again!
And finally, the third one is trying instead of the system shell (by default, of course, the explorer), slip the script copying something big, for example, the client base onto a USB flash drive (and yes, the registry key is not closed for editing!).
The effect is funny - the blue screen does not appear even 10 minutes after the work of our malicious script!
Super protection responds to the conductor! To test it, simply launch it and get a blue screen! Those. just disable the standard shell, and the protection collapses after deleting the system file!
To developers from Smart Line, you see, it is not known that the standard file open dialog has almost complete Explorer file copying functionality and is available
immediately after logging in from the Task Manager!
As a result, we have exactly what I assumed in the previous article: additional screws were screwed into the fence, but this didn’t strengthen the defense.
It is surprising that such a clumsy solution is offered by a company that positions itself as a developer of global protection systems!
Moreover, ordinary users are thought of as the last thing to do, because in the event of any failure with damage to system files, this miracle protection simply paralyzes the computer’s normal operation and a lot of time will be spent on recovery if there are no qualified personnel nearby.
While picking on this, I accidentally discovered another joke in the style of Apple: the control console can be entered as an ordinary user with an empty password! This is possible if its password matches the password of one of the selected DeviceLock admins.
Naturally, on my test virtualke all passwords are 8 units.
The approach of the developers just hit - it's a Microsoft glitch and we are not going to fix it. The question, why use the problem component, hung in the air.
I also noticed that the mechanisms for strengthening access rights are no less clumsy: when installing enhanced self-defense, templates are applied without checking the results. If in some way the file is deleted or the rights are set in advance so that the installer cannot change them, then there will be no reaction. Errors will not appear, and after a reboot, either the service will not start, or the files will remain available for modification / deletion. And this is the work of security professionals?
As a result, we find that instead of changing the extremely unsuccessful product architecture, the developer limited himself to clumsy, ineffective patches and continued development in an extensive style. The service has become even more and the exe file already takes 18Mb instead of 13!
The management of SmartLine reacted sluggishly to the proposal for cooperation to eliminate the discovered, which is even more surprising. I did not think that the principle “why improve, people hawala!” Operates in a serious IT-company.
How many more problems this product has, we can only guess, because poking around for free is just lazy. It is extremely not recommended to use it, as was mentioned more than a year ago.
Source: https://habr.com/ru/post/444390/
All Articles