by @k4m1ll0
06 Sep 2023

A tale about a Red Team exercise and the Forcepoint Endpoint One DLP client

by @k4m1ll0
06 Sep 2023

A tale about a Red Team exercise and the Forcepoint Endpoint One DLP client

Apps

One Endpoint
One EndpointForcepoint
24.11.5696.*
24.07.5688.*
24.06.5685.*
18.05.588.*
24.04.5677.*
24.03.5676.*
23.12.5666.*
23.11.5662.*
23.10.5661.*
23.07.5651.*

PoC video

Summary

While preparing for a Red Team Engagement, I learned about the Forcepoint Endpoint One DLP client. The product contains a limited Python interpreter that can be run by non-administrator users. I managed to remove the restrictions and now I have a functionally perfectly working Python interpreter. It is essential that according to the Forcepoint recommendation, the entire installation folder should be added to the exclusion list of AV and monitoring systems. This gave me the idea to use the "secret" interpreter to gain "initial access" to the client with a phishing attack. I successfully implemented this in practice. Later, I found an accepted and high-class vulnerability, but internal testing has found it before me, therefore there will be no CVE about it.

Description

users/photos/cllwqrjjj2sk91gn20zmt0wpl.png

@k4m1ll0

6 posts

https://k4m1ll0.com

Total vcoins

6K

Social media links

Comments (0)