It has been reported that security researchers have discovered a zero-day vulnerability in Dropbox for Windows that enables an attacker to obtain Windows SYSTEM privileges from the starting point of use as a Windows user.
What is the Dropbox for Windows zero-day vulnerability?
The vulnerability was discovered in September by two researchers named Chris Danieli and Decoder, who then informed Dropbox regarding the matter on September 18. They told Dropbox that it would take 90 days for the issue to be fixed before they reveal it publicly. As 90 days passed, the issue remain unfixed.
The vulnerability exists in Dropbox for Windows and is a random file overwrite issue that the attacker to gain a local user access increased privileges to execute code as SYSTEM. The researchers did not release exploit code; however, the problem lies within the DropboxUpdater service, in which it appears to allow a local user to replace executable files which can get executed by SYSTEM.
DropboxUpdater can be found as part of the Dropbox client software, and Decoder said, it runs as SYSTEM in standard installations and that "one of the dropboxupdater tasks is run every hour by the task scheduler." Every time this is activated, a log file will point to a location where SYSTEM account leaves it vulnerable for exploitation. The researchers were able to overwrite files controlled by the SYSTEM account and get a shell, a command-line interface, with those SYSTEM privileges.
How difficult is it to exploit this vulnerability?
With this vulnerability, there are qualifications for the threat to work. The first and most important, is that the attacker must have local user access of the target computer. Without this, it rules out a volume of threat scenarios; but, it does not mean that this vulnerability should be taken lightly. Privilege escalation exploits are a favoured way for threat actors to get a foothold on devices and any network beyond. Also, Dropbox client has to be installed with admin rights; but as most people already have done this by default, it’s not much of a mitigation. It was stated by Bleeping Computer report, there is a “micro patch” available from oPatch that is able to temporarily fix the problem until Dropbox rolls out with a fix – the method is by cutting off the log-writing code from DropboxUpdater.
What does Dropbox have to say about the zero-day vulnerability?
Dropbox spokesperson said "We learned of this issue through our bug bounty program and will be rolling out a fix in the coming weeks. This bug can only be leveraged in limited circumstances, and we haven’t received any reports of this vulnerability impacting our users."