Security researchers have disclosed a zero-day vulnerability in Dropbox for Windows 10
Security researchers have disclosed a zero-day vulnerability in Dropbox for Windows that can enable an attacker to attain Windows SYSTEM privileges from a starting point of a simple Windows user.
What is the Dropbox for Windows zero-day vulnerability?
Two security researchers, Chris Danieli and another known as Decoder, first unearthed the vulnerability in September, informing Dropbox on September 18. At that time, they apparently told Dropbox that it would have 90 days to fix the issue before they disclosed it publicly. The 90 days passed without that fix, so here we are.
The vulnerability exists in Dropbox for Windows and is an arbitrary file overwrite issue that can give an attacker with local user access escalated privileges to execute code as SYSTEM. The problem is with the DropboxUpdater service and, although the researchers have released no exploit code, it would appear to allow a local user to replace executable files which can then get executed by SYSTEM.
DropboxUpdater is installed as part of the Dropbox client software, and Decoder said it runs as SYSTEM in standard installations and that “one of the dropboxupdate tasks is run every hour by the task scheduler.” Every time this is triggered, it writes a log file to a location where the SYSTEM account leaves it vulnerable to exploitation. The researchers were able to overwrite files controlled by the SYSTEM account and get a shell, a command-line interface, with those SYSTEM privileges.
How difficult is it to exploit this vulnerability?
There are actually several mitigations in play, I’m glad to say. Firstly, and most importantly, the attacker must already have local user access to the target computer. That immediately rules out a whole raft of threat scenarios, but it doesn’t mean that this vulnerability is a dead donkey. Far from it, in fact. Privilege escalation exploits are a favored way for threat actors to get a foothold on devices and any network beyond. The Dropbox client also has to be installed in a standard manner, complete with admin rights, but as most people will likely do this default dance it’s not much of a mitigation.
According to a Bleeping Computer report, there is a “micro-patch” available from oPatch that will temporarily fix the problem until the full Dropbox fix rolls out, by cutting off the log-writing code from DropboxUpdater.
What does Dropbox have to say about the zero-day vulnerability?
The author reached out to Dropbox for comment regarding this vulnerability. “We learned of this issue through our bug bounty program and will be rolling out a fix in the coming weeks,” a Dropbox spokesperson says, “this bug can only be leveraged in limited circumstances, and we haven’t received any reports of this vulnerability impacting our users.”