Monday, September 23, 2013

Dropbox inspects uploaded documents

Last week, a researcher at WNCInfosec discovered that Dropbox is opening files with .doc extensions. The reason for the files being opened is apparently to perform conversions so the files can be opened in a web browser (with no plugins required).

Everyone seemed up in arms about this for the first 24 hours or so.  There were questions about what Dropbox was doing with user's private data. But then reality set in and folks realized that this is just part of the formatting conversion process.

I'm not as worried about data privacy in the sense that Dropbox might maliciously view my "private" data.  What precisely we even mean by "private" when we upload data to the cloud is a mystery to me anyway (but that's another discussion for another day).  I am however concerned that a vulnerability in the document converter/parser may threaten to disclose private data of many customers.  The software used to open the documents for conversion is LibreOffice.  It's worth noting that LibreOffice has had vulnerabilities reported as recently as 26JUL13.

A hypothetical attack would look like this:
  1. A user uploads a document that exploits a zero day vulnerability in LibreOffice.
  2. Dropbox opens the document to create the preview.
  3. The exploit results in arbitrary code execution on the server (which appear to be AWS instances).
  4. Profit!

Is this feasible?
Because we don't know how Dropbox works internally, it's impossible to know how much data an attacker would be able to obtain in this scenario.  It is unlikely that Dropbox spawns a new server for each user's files.  What is more likely is that each new document that needs a preview is loaded into a queue for processing.  A server then retrieves files for conversion from that queue.  The results are likely stored in a database of some sort, meaning that a successful exploit might also compromise this database (if one is used, remember we don't know what Dropbox internals look like).  In any case, successful code execution would very likely compromise the contents of many (if not all) user's uploaded documents.

Of course this sort of attack is hypothetical and would initially have to be exploited blind.  But it's still given me pause to think about the possibilities.  The black hat in me wants to open up a debugger and find a vuln in LibreOffice. The white hat in me remembers the CFAA, and I'm too pretty for jail.

Original blog post on Dropbox opening files:

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.