Security researchers Decoder and Chris Danieli discovered in Dropbox for Windows a vulnerability that could allow attackers to elevate their privileges to SYSTEM and already created a PoC exploit for it.
The problem is with the program update mechanism and affects the standard Dropbox settings.
The vulnerability exists in Dropbox for Windows and is an arbitrary file overwrite issue that can give an attacker with local user access escalated privileges to execute code as SYSTEM. The problem is with the DropboxUpdater service and, although the researchers have released no exploit code, it would appear to allow a local user to replace executable files which can then get executed by SYSTEM”, — describes the vulnerability Forbes observer Davey Winder.
The manufacturer has not yet released an official fix for the vulnerability, but as a temporary solution, users can install the microcode available for free on 0Patch, a platform from Acros Security, which publishes microcodes for fixing known vulnerabilities before official updates are released.
According to the head of Acros Security, Mitja Kolsek message, using a vulnerability, a local user with low privileges on an attacked system can replace an executable file launched by a process with system privileges.
Having studied the problem, we decided that the most reliable way to fix it was to simply cut off the code responsible for writing to the event log from DropBox Updater. This should not affect the functionality of DropBox, nor the update process – the log file will simply remain empty”, – said Kolsek.
However, as they say in Forbes, there are actually several mitigations in play. Firstly, and most importantly, the attacker must already have local user access to the target computer. That immediately rules out a whole raft of threat scenarios, but it doesn’t mean that this vulnerability is a dead donkey. Far from it, in fact.
Privilege escalation exploits are a favored way for threat actors to get a foothold on devices and any network beyond. The Dropbox client also has to be installed in a standard manner, complete with admin rights, but as most people will likely do this default dance it’s not much of a mitigation.
Published on 0Patch microcode fixes only the vulnerable part of Dropbox and is applied in memory when the system is running, so it does not require a reboot.
Last week, Decoder provided details on exploiting a vulnerability to elevate privileges on an already compromised host. Although the researchers wrote a PoC exploit, they did not publish it for ethical reasons.
While DropBox engineers deny any exploitation of the vulnerability found, Windows users face another danger. They are attacked by Zeppelin ransomware operators through the popular ConnectWise Control remote desktop application.