by Matek Kamilló
06 Sep 2023

A tale about a Red Team exercise and the Forcepoint Endpoint One DLP client

Apps

One Endpoint
One EndpointForcepoint
23.07.5651
23.04.5642
21.03.5060
22.06.5578
19.07.940
22.03.5558
20.2.4499
22.01
22.01.5526
19.05.890

Screenshots from the blog posts

images/clm87qenpchwq1gn9efz33d4b.pngimages/clm87qenpchwq1gn9efz33d4b.png

PoC video

Summary

While preparing for a Red Team Engagement, I learned about the Forcepoint Endpoint One DLP client. The product contains a limited Python interpreter that can be run by non-administrator users. I managed to remove the restrictions and now I have a functionally perfectly working Python interpreter. It is essential that according to the Forcepoint recommendation, the entire installation folder should be added to the exclusion list of AV and monitoring systems. This gave me the idea to use the "secret" interpreter to gain "initial access" to the client with a phishing attack. I successfully implemented this in practice. Later, I found an accepted and high-class vulnerability, but internal testing has found it before me, therefore there will be no CVE about it.

Description

https://k4m1ll0.com
Total vcoins1.6K

Share

Social media links

Comments (0)