Not The App, But Its Additional Service!
This vulnerability was first discovered by security researcher Chris Danielle and Decoder on zero-day and has informed Dropbox to fix it. Since September 18 (informed date), the company has recognized this flaw but not yet released any patch to date. To say, the actual application Dropbox isn’t vulnerable, but it’s alongside service application as Dropbox Updater is vulnerable enough to let hackers exploit the host. Dropbox updater is a service installed along with the Dropbox desktop application and is responsible for checking and updating the service to the latest version periodically. On a blog post, Decoder has explained how this vulnerability was exploited to gain access to the core SYSTEM of the victim. The validation of this claim was performed on Dropbox’s latest version of 87.4.138. The critical flaw here is that the vulnerable “dropboxupdate” service is able to write/alter the log files in drive path C:\ProgramData\Dropbox\Update\Log. As the Updater has permissions to SYSTEM for scheduled tasks, it’s exploitation could potentially let anyone penetrate into a host device. Though there’s a need to guess the logfile name to operate successfully, this could be done with testing tools made by James Forshaw of Google Project Zero! They help in hanging the process and performing hard link spraying to know the target file (log file). Overwriting the code within can let access into the system.
Some Quick Solutions
As of now, Dropbox is yet to release any patch for this flaw. Yet, there’s a solution called Micropatch that could help temporarily. Researchers say that restricting access into log files can help to stop or at least jeopardizing the attack. 0Patch, a platform that delivers micro patches for known vulnerabilities that can be used before the official company releases permanent updates. This solution, as described by Mitja Kolsek, CEO of Acros Security’s that made 0Patch,