SEP USB Device Control - The Cheetah and The Hare
June 29, 2016 | Posted in Purple Teams by Chris Myers
About a year ago, we were performing a laptop hardening and configuration review at one of our financial services clients using Symantec Endpoint Protection’s (SEP) USB Device Control as part of their Data Loss Prevention solution. One way SEP keeps data from leaving the corporate environment is by disabling any USB device plugged into employee workstations to prevent copying file and folders to and from unauthorized USB drives. During our testing we discovered that there is a short window of time available to copy files onto and off of USB devices. With some quick fingers and a very simple batch script designed to copy files to our test USB device, we won the timing race and beat SEP to the punch of disabling our device and successfully copied up to 50 MB worth of files to it from our client laptop!
A year later, after working with the Symantec responsible disclosure team, a CVE has been issued for the vulnerability and can be found here.
Here's How it Works...
Create A Batch Script
To take advantage of a small window of time where our USB device is accessible, we wrote a simple batch script to copy our test files off the client device and onto the USB drive (see Figure 1). There are two important things to note with this script:
- We must know the drive letter, E:\ in this case, of the USB device we wish to copy files to.
- You’ll notice the same copy command is repeated 11 times in this script. Since our window of opportunity to execute this attack is so small, we experienced some difficulties in timing the execution of the batch script correctly; too fast and the script copies to a USB drive that doesn’t exist yet, too slow and SEP has disabled the device before we could copy to it. To combat this, we repeated copy commands to increase our chances of one of them executing while our USB device was recognized and not yet disabled.
Figure 1 – A simple batch script to copy our test document (sepTest.txt.txt) to a USB Drive (E:\)
Insert USB Drive and Execute the Batch Script
Here is where those nimble fingers come into play… After inserting our USB drive (see figure 2.1), the device is recognized and active before Symantec can disable it. We immediately executed the batch script in order to beat the SEP USB Device control and successfully copy off our test documents (see figure 2.2).
Figure 2.1 – Despite our drive never showing up in My Computer as an active drive, we can see in the Device Manager that our USB drive is momentarily recognized.
Figure 2.2 – Executing our batch script immediately after inserting the USB drive results in a successful copy of our test document from the client workstation to the remote drive.
Casually Walk Out the Door
There you have it! At this point, we have successfully bypassed Symantec’s USB Device Control functionality to copy potentially sensitive documents out of the corporate environment and onto our USB drive. This vulnerability can be leveraged to remove data such as customer PII, Social Security Numbers, credit card numbers, or industry trade secrets in attempts to directly profit from the sale of this information or to cause financial and reputational damage to the target organization. To see this vulnerability in action, check out our video below!
Entities currently using Symantec Endpoint Protection for DLP should update their deployments immediately and ensure the patch addressing this issue is applied.