Security researchers have revealed a zero-day vulnerability in Dropbox for Windows app. This vulnerability can authorize an attacker in gaining access to Windows SYSTEM privileges from a starting point of a simple Windows user.
What is the Dropbox for Windows zero-day vulnerability?
Two security researchers, Chris Danieli and another known as Decoder, first discovered the vulnerability in September. They informed Dropbox of the issue on September 18. At that time, the researchers told Dropbox that it would have 90 days to fix the issue before they disclosed it publicly. Until Dropbox rolls out a better version, an interim solution can be applied via 0Patch, a platform that delivers micropatches for known issues before a permanent, official fix becomes available.
The vulnerability is an arbitrary file overwrite issue that a local low-privileged attacker can use it to replace executable run by a process with SYSTEM-level rights. The problem is with the DropboxUpdater service and, although the researchers have released no exploit code, it would appear to allow a local user to replace executable files which can then get executed by SYSTEM.
DropboxUpdater is installed as part of the Dropbox client software, and Decoder said it runs as SYSTEM in standard installations and that “one of the dropboxupdate tasks is run every hour by the task scheduler.” Every time this is triggered, it writes a log file to a location where the SYSTEM account leaves it vulnerable to exploitation. The researchers were able to overwrite files that the SYSTEM account controlled and get a shell, a command-line interface, with those SYSTEM privileges.
How difficult is it to exploit this vulnerability?
There are several mitigations in play. First and foremost, the attacker needs to already acquire local user access to the target computer. That eliminates a large collection of threat scenarios at once. But this doesn’t mean that this vulnerability is a dead donkey. Far from it, in fact. Privilege escalation exploits are a favored way for threat actors to get a foothold on devices and any network beyond. The Dropbox client also should be installed in a standard manner, complete with admin rights, but as most people will likely do this default dance it’s not much of mitigation.
“We learned of this issue through our bug bounty program and will be rolling out a fix in the coming weeks,” a Dropbox spokesperson said, “this bug can only be leveraged in limited circumstances, and we haven’t received any reports of this vulnerability impacting our users.”
Secure Your Organization’s Mind with Securemind.se