I sometimes come across systems that are segregated in a way I know to be flawed
ID: 657123 • Letter: I
Question
I sometimes come across systems that are segregated in a way I know to be flawed. The arrangement usually looks like this:
There is a general IT environment, which follows best practice: patching, anti-virus, password policy, USB disabled, etc. However, there needs to be a balance of security and usability in this environment (e.g. Internet access is allowed) so it is inherently at risk, and would be an easy target for APTs.
There is also some super sensitive database, which sits behind its own firewall. The only access to the database is remote desktop inbound, and maybe a WSUS server outbound. The admins argue that this database is "tightly restricted" and there is no way that data could be exfiltrated. Generally, remote desktop is correctly locked down - shared drives and clipboard are disabled.
I know this is flawed. If a workstation is compromised, an attacker can quietly sit and harvest the remote desktop credentials. They can then take control of the database through remote desktop. The final piece of the puzzle is to exfiltrate the data. I know in theory it is possible to do this. For example, the malware on the database could encode data as QR codes, display it on screen, and let remote desktop relay it to the client. The client could parse QR codes in the remote desktop session and capture data. In fact, I'm sure much more efficient schemes than QR codes could be used.
However, I don't currently have a practical means to exploit this. Do you know a practical way to exfiltrate data in this situation, something a bit like sqlmap?
Explanation / Answer
Some remote desktop protocols have a shared clipboard. In this case, exfiltrating data is simply a matter of copy-and-paste: copy on the remote desktop, paste on the local one.
Some protocols have built-in file transfer. Exfiltrating data becomes as simple as dragging the database files from the remote desktop to the local one.
All remote desktop protocols support video display. Exfiltration can be as primitive as starting a screen-recording program on the local system, watching the desired data scroll by, and transcribing it at your leisure, or a more sophisticated system such as automated OCR or the QR-code scheme mentioned in the question can be used.
If the data can be viewed remotely, it can be exfiltrated. It's just a question of how easy it is.