Dropbox Zero-Day Flaw Gets Fixed Temporarily
Dropbox, the most privileged account on the operating system has a zero-day vulnerability due to which, attackers manage to gain permissions reserved to the device. The unpatched security fault affects standard Dropbox installations. It is connected to the updater that runs as a service and is responsible for keeping the program up to date. Dropbox has yet to release a new version that patches the vulnerability but a temporary solution is freely available in the form of a micropatch.
According to them, they informed Dropbox of the issue on September 18 and allowed a 90-day period before making a public closing. The company react saying that the failt was known and a fix would become available before the end of October. Until Dropbox rolls out a better version, an interim solution can be applied via 0Patch, a platform that delivers micropatches for known issues before a permanent, official fix becomes available.
Describing the issue on Twitter, Mitja Kolsek, CEO of Acros Security company behind 0patch, says that a local low-privileged attacker can use it to replace executable run by a process with SYSTEM-level rights. “While analyzing the issue, we decided that the most reliable fix would be to simply cut off the log-writing code from DropBox Updater. This doesn’t seem to negatively impact either DropBox functionality or the update process – it just leaves the log file empty, potentially making it harder for DropBox to troubleshoot issues on user’s computer. (Clearly, not being vulnerable trumps that.)” – Mitja Kolsek
Decoder offers details for investing the flaw to upgrade privileges on an already compromised host, in a blog post this week. The exploit code is not delivered, since the purpose of the revealing is to “share knowledge, not tools.” The researcher mentions that they tried the privilege escalation flaw on version 87.4.138 of the application, which is the latest product at the time this post is being written. The method and techniques for exploitation take advantage of the Dropbox updater, which is installed as a service with two scheduled tasks that run with System permissions.