Sunday, February 12, 2012

Bypassing (?) End Point Protector 4 blocking of Teensy

One of my friends shared with me a news about some end point protection solution called End Point Protection 4. The news article highlights that Teensy and Teensy++ board can be blocked using this solution. This is the news piece

-----------------------------------------------------------------------------------------------------------------------
Endpoint Protector 4 – one step ahead the Teensy Board threat
The microcontroller Teensy++ 2.0 is one of the latest threats for endpoint security. It can be plugged into a miniUSB port, is identified as keyboard or mouse and is able to emulate every keystroke or move made by the usual input devices. With Endpoint Protector 4 you won’t be a victim of Teensy 2.0 or Teensy++ 2.0. The endpoint security solution identifies Teensy Boards, enabling you to block or allow them without affecting the normal use of your keyboard and mouse.

Get in touch now with your local CoSoSys sales person for more information and customized sales offers."
-----------------------------------------------------------------------------------------------------------------------

I checked out their website and saw Teensy Board in their list of Controlled Device Types.






I have been working on using Teensy for Penetration Tests for much time now and took this up as challenge. Aa dekhein zara kisme kitna hai dum started playing in my ears.

I wanted to test this out and downloaded a trial of their virtual appliance and set that up. I installed client on my test Windows 7 machine and connected my Teensy++ device. To my amazement, the device was not blocked even for the first time. Though, a warning balloon popped up but Teensy++ was still not blocked.I rushed back to the admin console and checked if the policies were correct



On further exploring the admin console, I saw though the device was not blocked (even when it is reported blocked), the device was detected properly. I decided to look how they identify devices to be blocked. Aaaand, I should have guessed this, they are trying to block it based upon Vendor ID and Product ID.



I decided to play with it as that warning balloon is still annoying and I prefer to be as stealthy as possible. I changed the Product ID and Vendor ID for my Teensy++. A valid Product ID and Vendor ID is required, I used that of RIM.

.\arduino-1.0\hardware\teensy\cores\usb_hid\usb_private.h




After this I restarted Arduino Development Environment, recompiled a sketch and uploaded it to Teensy++ board. Now, when I connected the Teensy++ board, bingo! there were no balloon warnings or logs in the console. Mission Accomplished !!

I may include this in Kautilya as an advice to change Product ID and Vendor ID before using Teensy++ in Penetration Tests.

P.S. - Cososys should get web console of End Point Protector 4 tested for common webapp vulnerabilities, in few minutes of playing 4-5 vulnerabilities were discovered. Management console of a product which claims to be "one step ahead the Teensy Board threat" should at least be reasonably secure.

EDIT: This nice list by Stephen J. Gowdy could be used for finding Vendor ID and Product ID.







1 comment:

  1. Nikhil....tujh me hai dum!!!
    Gr8 one.

    ReplyDelete