DeviceLock 8.3 DLP system: a year has passed, Billy, but you haven't changed at all
In the footsteps of more than last year's article, I present a sad continuation.
In the fall of 2018, I came across a comment by one of the creators of the product and decided to see if the holes in the new version were fixed and try to look for new ones.
As a result, the following was discovered:
1. The ability to remove / rename drivers was eliminated by installing more stringent access rights to them.
This decision was unambiguously obvious. This was the only plus, followed by cons:
2. Protection of system files was left “as is”, probably with the aim of ensuring the operability of the operating system update mechanisms.
As a result, deleting / renaming the system file and knocking down the service in this way can be done just as easily.
We try to erase the seemingly useless winspool.drv, which dlservice.exe depends on, and reboot.
We enter the system, we see in the task manager that the service did not start and ... oppa! Blue screen!
We are overloaded, we enter and again blue! We return the file to the place, overloaded. The service is running, nothing crashes! That’s because the sly ones did the defense! Bravo? - Do not hurry!
The first thing that catches your eye is the presence of a delay between entering and falling into the blue screen.
An attacker can do dark things, but very quickly.
However, at speeds of the USB3 and Thunderbolt interfaces, you can manage to transfer a hundred or two megabytes to a removable drive in the very couple of seconds between logging in and crashing.
The second - the system does not crash if you do not login. Those. cling to the network from your laptop, share C $ and calmly take what you need, because everything lies, including the firewall! The main thing is in the thorny bite ... Ugh !, do not go into the remote desktop and do not log in - it will fall again!
And finally, the third - we try instead of the system shell (by default, naturally, Explorer), slip a script copying something big, such as a client base, onto a USB flash drive (and yes, the registry key for editing is not closed!).
The effect is funny - the blue screen does not appear even 10 minutes after the work of our malicious script!
Superprotection reacts to the conductor! To check, just run it and get a blue screen! Those. it is enough to disable the standard shell, and the protection collapses after deleting the system file!
Developers from Smart Line, it’s not clear that the standard file open dialog has almost full file explorer functionality and is available
immediately after logging in from the task manager!
As a result, we have exactly what was expected in the previous article: they screwed additional screws into the picket, but this did not greatly strengthen the protection.
It is surprising that such a clumsy solution is offered by a company that positions itself as a developer of global protection systems!
Moreover, they think about ordinary users last, because in the event of any failure to corrupt system files, this miracle protection will simply paralyze the regular operation of the computer and a lot of time will be spent on recovery if there are no qualified personnel nearby.
While tinkering with this, I accidentally discovered yet another trick in the style of Apple after all: you can enter the management console on behalf of a regular user with an empty password! This is possible if his password matches the password of one of the selected DeviceLock admins.
Naturally, on my test virtual machines all have 8 passwords.
The developers' approach was simply struck - this is a Microsoft bug and we are not going to fix it. The question, why use the problem component, is hanging in the air.
I also noticed that the mechanisms for enhancing access rights are made no less clumsy: when installing enhanced self-protection, templates are applied without checking the results. If somehow the file is deleted or the rights are set in advance so that the installer cannot change them, then there will be no reaction. An error will not appear, and after a reboot, the service will either not start or the files will remain available for modification / deletion. And this is the work of security professionals?
As a result, we get that instead of changing the extremely unsuccessful architecture of the product, the developer limited himself to clumsy, ineffective patches and continued development in an extensive style. The service has become even larger and the exe file is already 18 MB instead of 13!
The SmartLine management reacted sluggishly to the offer of cooperation to eliminate the discovered, which is even more surprising. I didn’t think that in a serious IT-company there is a principle “why improve, people are hitting!”.
One can only guess how many more problems this product has. Poking around further for free is just lazy. Using it is highly discouraged, as mentioned more than a year ago.
In the fall of 2018, I came across a comment by one of the creators of the product and decided to see if the holes in the new version were fixed and try to look for new ones.
As a result, the following was discovered:
1. The ability to remove / rename drivers was eliminated by installing more stringent access rights to them.
This decision was unambiguously obvious. This was the only plus, followed by cons:
2. Protection of system files was left “as is”, probably with the aim of ensuring the operability of the operating system update mechanisms.
As a result, deleting / renaming the system file and knocking down the service in this way can be done just as easily.
We try to erase the seemingly useless winspool.drv, which dlservice.exe depends on, and reboot.
We enter the system, we see in the task manager that the service did not start and ... oppa! Blue screen!
We are overloaded, we enter and again blue! We return the file to the place, overloaded. The service is running, nothing crashes! That’s because the sly ones did the defense! Bravo? - Do not hurry!
The first thing that catches your eye is the presence of a delay between entering and falling into the blue screen.
An attacker can do dark things, but very quickly.
However, at speeds of the USB3 and Thunderbolt interfaces, you can manage to transfer a hundred or two megabytes to a removable drive in the very couple of seconds between logging in and crashing.
The second - the system does not crash if you do not login. Those. cling to the network from your laptop, share C $ and calmly take what you need, because everything lies, including the firewall! The main thing is in the thorny bite ... Ugh !, do not go into the remote desktop and do not log in - it will fall again!
And finally, the third - we try instead of the system shell (by default, naturally, Explorer), slip a script copying something big, such as a client base, onto a USB flash drive (and yes, the registry key for editing is not closed!).
The effect is funny - the blue screen does not appear even 10 minutes after the work of our malicious script!
Superprotection reacts to the conductor! To check, just run it and get a blue screen! Those. it is enough to disable the standard shell, and the protection collapses after deleting the system file!
Developers from Smart Line, it’s not clear that the standard file open dialog has almost full file explorer functionality and is available
immediately after logging in from the task manager!
As a result, we have exactly what was expected in the previous article: they screwed additional screws into the picket, but this did not greatly strengthen the protection.
It is surprising that such a clumsy solution is offered by a company that positions itself as a developer of global protection systems!
Moreover, they think about ordinary users last, because in the event of any failure to corrupt system files, this miracle protection will simply paralyze the regular operation of the computer and a lot of time will be spent on recovery if there are no qualified personnel nearby.
While tinkering with this, I accidentally discovered yet another trick in the style of Apple after all: you can enter the management console on behalf of a regular user with an empty password! This is possible if his password matches the password of one of the selected DeviceLock admins.
Naturally, on my test virtual machines all have 8 passwords.
The developers' approach was simply struck - this is a Microsoft bug and we are not going to fix it. The question, why use the problem component, is hanging in the air.
I also noticed that the mechanisms for enhancing access rights are made no less clumsy: when installing enhanced self-protection, templates are applied without checking the results. If somehow the file is deleted or the rights are set in advance so that the installer cannot change them, then there will be no reaction. An error will not appear, and after a reboot, the service will either not start or the files will remain available for modification / deletion. And this is the work of security professionals?
As a result, we get that instead of changing the extremely unsuccessful architecture of the product, the developer limited himself to clumsy, ineffective patches and continued development in an extensive style. The service has become even larger and the exe file is already 18 MB instead of 13!
The SmartLine management reacted sluggishly to the offer of cooperation to eliminate the discovered, which is even more surprising. I didn’t think that in a serious IT-company there is a principle “why improve, people are hitting!”.
One can only guess how many more problems this product has. Poking around further for free is just lazy. Using it is highly discouraged, as mentioned more than a year ago.