DroppedIn: Remotely Exploiting the Dropbox SDK for...
Transcript of DroppedIn: Remotely Exploiting the Dropbox SDK for...
![Page 1: DroppedIn: Remotely Exploiting the Dropbox SDK for Androidgoldbe/teaching/HW55815/presos/droppedin.pdf · 2015. 5. 3. · Response from Dropbox December 1, 2014 - Vulnerabilities](https://reader033.fdocuments.us/reader033/viewer/2022053115/6093c43f993dde16400999a5/html5/thumbnails/1.jpg)
DroppedIn: Remotely Exploiting the Dropbox SDK for Android
TEAM MEMBERS: KEVIN AMORIM, LAMA ALSUWAYAN, HANG XU
(The CVE-2014-8889 Vulneribilty)
![Page 2: DroppedIn: Remotely Exploiting the Dropbox SDK for Androidgoldbe/teaching/HW55815/presos/droppedin.pdf · 2015. 5. 3. · Response from Dropbox December 1, 2014 - Vulnerabilities](https://reader033.fdocuments.us/reader033/viewer/2022053115/6093c43f993dde16400999a5/html5/thumbnails/2.jpg)
Outline
Goal of the attack
Android Intents + Dropbox Authentication
The vulnerability
DroppedIn Attack
Mitigation
![Page 3: DroppedIn: Remotely Exploiting the Dropbox SDK for Androidgoldbe/teaching/HW55815/presos/droppedin.pdf · 2015. 5. 3. · Response from Dropbox December 1, 2014 - Vulnerabilities](https://reader033.fdocuments.us/reader033/viewer/2022053115/6093c43f993dde16400999a5/html5/thumbnails/3.jpg)
Data on the Cloud
World is now storing private personal and business data on the cloud
Cloud data is not only by the user, but also by apps (photo sharing, storage … etc.)
Cloud services often provide a framework (SDK) that apps can utilize
- Example: The Dropbox SDK for Android
![Page 4: DroppedIn: Remotely Exploiting the Dropbox SDK for Androidgoldbe/teaching/HW55815/presos/droppedin.pdf · 2015. 5. 3. · Response from Dropbox December 1, 2014 - Vulnerabilities](https://reader033.fdocuments.us/reader033/viewer/2022053115/6093c43f993dde16400999a5/html5/thumbnails/4.jpg)
Dropbox API - Stats
* Stats according to AppBrain
![Page 5: DroppedIn: Remotely Exploiting the Dropbox SDK for Androidgoldbe/teaching/HW55815/presos/droppedin.pdf · 2015. 5. 3. · Response from Dropbox December 1, 2014 - Vulnerabilities](https://reader033.fdocuments.us/reader033/viewer/2022053115/6093c43f993dde16400999a5/html5/thumbnails/5.jpg)
Android & Dropbox
Android applications execute in a sandbox environment
Apps can’t access another app’s data directly
Apps communicate using ‘Intents’
![Page 6: DroppedIn: Remotely Exploiting the Dropbox SDK for Androidgoldbe/teaching/HW55815/presos/droppedin.pdf · 2015. 5. 3. · Response from Dropbox December 1, 2014 - Vulnerabilities](https://reader033.fdocuments.us/reader033/viewer/2022053115/6093c43f993dde16400999a5/html5/thumbnails/6.jpg)
![Page 7: DroppedIn: Remotely Exploiting the Dropbox SDK for Androidgoldbe/teaching/HW55815/presos/droppedin.pdf · 2015. 5. 3. · Response from Dropbox December 1, 2014 - Vulnerabilities](https://reader033.fdocuments.us/reader033/viewer/2022053115/6093c43f993dde16400999a5/html5/thumbnails/7.jpg)
![Page 8: DroppedIn: Remotely Exploiting the Dropbox SDK for Androidgoldbe/teaching/HW55815/presos/droppedin.pdf · 2015. 5. 3. · Response from Dropbox December 1, 2014 - Vulnerabilities](https://reader033.fdocuments.us/reader033/viewer/2022053115/6093c43f993dde16400999a5/html5/thumbnails/8.jpg)
![Page 9: DroppedIn: Remotely Exploiting the Dropbox SDK for Androidgoldbe/teaching/HW55815/presos/droppedin.pdf · 2015. 5. 3. · Response from Dropbox December 1, 2014 - Vulnerabilities](https://reader033.fdocuments.us/reader033/viewer/2022053115/6093c43f993dde16400999a5/html5/thumbnails/9.jpg)
![Page 10: DroppedIn: Remotely Exploiting the Dropbox SDK for Androidgoldbe/teaching/HW55815/presos/droppedin.pdf · 2015. 5. 3. · Response from Dropbox December 1, 2014 - Vulnerabilities](https://reader033.fdocuments.us/reader033/viewer/2022053115/6093c43f993dde16400999a5/html5/thumbnails/10.jpg)
![Page 11: DroppedIn: Remotely Exploiting the Dropbox SDK for Androidgoldbe/teaching/HW55815/presos/droppedin.pdf · 2015. 5. 3. · Response from Dropbox December 1, 2014 - Vulnerabilities](https://reader033.fdocuments.us/reader033/viewer/2022053115/6093c43f993dde16400999a5/html5/thumbnails/11.jpg)
![Page 12: DroppedIn: Remotely Exploiting the Dropbox SDK for Androidgoldbe/teaching/HW55815/presos/droppedin.pdf · 2015. 5. 3. · Response from Dropbox December 1, 2014 - Vulnerabilities](https://reader033.fdocuments.us/reader033/viewer/2022053115/6093c43f993dde16400999a5/html5/thumbnails/12.jpg)
![Page 13: DroppedIn: Remotely Exploiting the Dropbox SDK for Androidgoldbe/teaching/HW55815/presos/droppedin.pdf · 2015. 5. 3. · Response from Dropbox December 1, 2014 - Vulnerabilities](https://reader033.fdocuments.us/reader033/viewer/2022053115/6093c43f993dde16400999a5/html5/thumbnails/13.jpg)
![Page 14: DroppedIn: Remotely Exploiting the Dropbox SDK for Androidgoldbe/teaching/HW55815/presos/droppedin.pdf · 2015. 5. 3. · Response from Dropbox December 1, 2014 - Vulnerabilities](https://reader033.fdocuments.us/reader033/viewer/2022053115/6093c43f993dde16400999a5/html5/thumbnails/14.jpg)
DroppedIn Attack
Link the app with the attacker’s account instead of the victim’s to either:
- have the victim upload sensitive information or
- download malicious, attacker-controlled data that may be used as part of other attacks.
The field “INTERNAL_WEB_HOST” allows this to occur
***Only works when DropBox App is NOT Installed***
![Page 15: DroppedIn: Remotely Exploiting the Dropbox SDK for Androidgoldbe/teaching/HW55815/presos/droppedin.pdf · 2015. 5. 3. · Response from Dropbox December 1, 2014 - Vulnerabilities](https://reader033.fdocuments.us/reader033/viewer/2022053115/6093c43f993dde16400999a5/html5/thumbnails/15.jpg)
![Page 16: DroppedIn: Remotely Exploiting the Dropbox SDK for Androidgoldbe/teaching/HW55815/presos/droppedin.pdf · 2015. 5. 3. · Response from Dropbox December 1, 2014 - Vulnerabilities](https://reader033.fdocuments.us/reader033/viewer/2022053115/6093c43f993dde16400999a5/html5/thumbnails/16.jpg)
![Page 17: DroppedIn: Remotely Exploiting the Dropbox SDK for Androidgoldbe/teaching/HW55815/presos/droppedin.pdf · 2015. 5. 3. · Response from Dropbox December 1, 2014 - Vulnerabilities](https://reader033.fdocuments.us/reader033/viewer/2022053115/6093c43f993dde16400999a5/html5/thumbnails/17.jpg)
![Page 18: DroppedIn: Remotely Exploiting the Dropbox SDK for Androidgoldbe/teaching/HW55815/presos/droppedin.pdf · 2015. 5. 3. · Response from Dropbox December 1, 2014 - Vulnerabilities](https://reader033.fdocuments.us/reader033/viewer/2022053115/6093c43f993dde16400999a5/html5/thumbnails/18.jpg)
![Page 19: DroppedIn: Remotely Exploiting the Dropbox SDK for Androidgoldbe/teaching/HW55815/presos/droppedin.pdf · 2015. 5. 3. · Response from Dropbox December 1, 2014 - Vulnerabilities](https://reader033.fdocuments.us/reader033/viewer/2022053115/6093c43f993dde16400999a5/html5/thumbnails/19.jpg)
![Page 20: DroppedIn: Remotely Exploiting the Dropbox SDK for Androidgoldbe/teaching/HW55815/presos/droppedin.pdf · 2015. 5. 3. · Response from Dropbox December 1, 2014 - Vulnerabilities](https://reader033.fdocuments.us/reader033/viewer/2022053115/6093c43f993dde16400999a5/html5/thumbnails/20.jpg)
![Page 21: DroppedIn: Remotely Exploiting the Dropbox SDK for Androidgoldbe/teaching/HW55815/presos/droppedin.pdf · 2015. 5. 3. · Response from Dropbox December 1, 2014 - Vulnerabilities](https://reader033.fdocuments.us/reader033/viewer/2022053115/6093c43f993dde16400999a5/html5/thumbnails/21.jpg)
![Page 22: DroppedIn: Remotely Exploiting the Dropbox SDK for Androidgoldbe/teaching/HW55815/presos/droppedin.pdf · 2015. 5. 3. · Response from Dropbox December 1, 2014 - Vulnerabilities](https://reader033.fdocuments.us/reader033/viewer/2022053115/6093c43f993dde16400999a5/html5/thumbnails/22.jpg)
![Page 23: DroppedIn: Remotely Exploiting the Dropbox SDK for Androidgoldbe/teaching/HW55815/presos/droppedin.pdf · 2015. 5. 3. · Response from Dropbox December 1, 2014 - Vulnerabilities](https://reader033.fdocuments.us/reader033/viewer/2022053115/6093c43f993dde16400999a5/html5/thumbnails/23.jpg)
![Page 24: DroppedIn: Remotely Exploiting the Dropbox SDK for Androidgoldbe/teaching/HW55815/presos/droppedin.pdf · 2015. 5. 3. · Response from Dropbox December 1, 2014 - Vulnerabilities](https://reader033.fdocuments.us/reader033/viewer/2022053115/6093c43f993dde16400999a5/html5/thumbnails/24.jpg)
Response from Dropbox
December 1, 2014 - Vulnerabilities disclosed to Dropbox.
December 2, 2014 - Dropbox confirmed issue, started working on patch.
December 5, 2014 - Patch available (Dropbox SDK for Android version 1.6.2)
March 11, 2015 - Public disclosure
![Page 25: DroppedIn: Remotely Exploiting the Dropbox SDK for Androidgoldbe/teaching/HW55815/presos/droppedin.pdf · 2015. 5. 3. · Response from Dropbox December 1, 2014 - Vulnerabilities](https://reader033.fdocuments.us/reader033/viewer/2022053115/6093c43f993dde16400999a5/html5/thumbnails/25.jpg)
Mitigation
Authentication no longer accepts input parameters from Intent’s extras- Don’t allow inputs for INTERNAL_WEB_HOST
As a developer: - Update Dropbox SDK for Android to Version 1.6.2 or higher
As a user:- Install Dropbox onto your android device- Make sure you update your apps to their most recent version
![Page 26: DroppedIn: Remotely Exploiting the Dropbox SDK for Androidgoldbe/teaching/HW55815/presos/droppedin.pdf · 2015. 5. 3. · Response from Dropbox December 1, 2014 - Vulnerabilities](https://reader033.fdocuments.us/reader033/viewer/2022053115/6093c43f993dde16400999a5/html5/thumbnails/26.jpg)
References
http://ibm.co/1Hosb02
http://securityintelligence.com/droppedin-remotely-exploitable-vulnerability-in-the-dropbox-sdk-for-android/#.VQ8rzjCUy1l
https://blogs.dropbox.com/developers/2015/03/security-bug-resolved-in-the-dropbox-sdks-for-android/