Date:April 12, 2011
Status:Patched by Dropbox
Description:This is a small experiment I did in response to Derek Newton post about the host_id inside config.db I will demonstrate a very slow but doable technique to gather the config.db from a targeted user. Please keep in mind that there is obviously better ways of acquiring the config.db and this experiment only serve the purpose of showing a plausible scenario of attack.
Scenario:Data is very valuable and many organizations are using Dropbox to share important files amongst users. Someone could target such organization and they could deploy a very simple malware designed to only copy the config.db inside the public Dropbox folder, this alone wouldn't raise many alarms. There's many ways of doing such manipulation, someone could even try to attempt to do this by using social engineering skills. The design of this attack simply consist of copying the config.db inside the Dropbox public folder so we can track it back with a script and proceed to download the file. This experiment do not serve the purpose of explaining how to achieve the copy of config.db but lets face it there's plenty of ways to accomplish this task. Now that the file is copied inside the Public folder, the attacker can begin the harvesting process. We will do this by creating a simple python script which only task is to do an http request on a range of Public Dropbox IDs. The script will write down the valid queries inside a text document which equal to a valid Public ID which contain config.db Then we can simply copy paste the valid results and happily download the file, config.db! Now that we have the config file we can read it with any SQLite DB tool and extract the host_id and simply paste it inside our own config.db and safely sync everything towards our computer.
How to:Let me explain in details how to proceed with this attack, like I said before this could be a very slow process and I doubt anyone would actually use it :) - First of all, the attacker would need a progam which is able to copy config.db from %APPDATA%\Dropbox to %USERNAME%\Dropbox\Public, simple enough. The program would duplicate itself on any network drives/USB drives and would search for a Dropbox config file and proceed to copy it inside the Public folder. Then the attacker would need a way to deploy such program on the desired network, there's plenty of way of doing this and since the program only copy a file of about 8 ko it wouldn't raise many alarms (in theory). - After the initial phase is done, the attacker could fire up a python script from his house and scan through a range of Public Dropbox IDs. Everyone has a Public ID (acct number) and they are sequential so it is very easy to build a script who can scan through the list.
- By using our script, we can go through a list of users and ask to download config.db which we previously uploaded inside the public folder of our targeted user. The only problem is that we have no idea which ID the user is using. This is where the long and tedious process of scanning take place. Let me explain the script...
- The green rectangle is our text document which will contain every valid host with the file config.db, so we would see a list of IDs, example : 177302, 203722, 29382, etc..
- The blue rectangle is the range of IDs we are scanning. We could have a range of 50k account numbers, it doesn't matter.
- The red rectangle is the file we are searching for and if there is a return on config.db then the script will write down the ID inside our text document. simple.
- I did the test and I was able to scan through 2000 hosts in about 10 minutes with one script, nothing could stop us from using multiple scripts, each scanning in different ranges of IDs and if you are using multiple computers you could speed up the process a lot more. We are completely in the dark here, because we have absolutely no idea which IDs we are looking for so our only hope is to scan and wait. The attacker would have to be really dedicated but it is doable. - After many hours? days? we would finally get our valid IDs and we could simply add them inside the URL : http://dl.dropbox.com/u/acct number/config.db and proceed to download the file. - The last step would be to gather the host_id from the config file and add it inside our own.
- There's multiple ways of doing this but you could just copy past the host_id from the red rectangle and add it inside your own config file. Before doing this, shutdown Dropbox, add the new host_id and restart Dropbox, it might take 1 minute and then it will automatically sync all the folders. - You could also copy the config.db directly inside %APPDATA%\Dropbox but before doing this you would have to edit the path of the green rectangle.
I only tested the script section of the scenario and from my experience it is doable. This is in no way the perfect attack scenario, this article only serve the purpose of proving that a dedicated "hacker" could without much effort steal config.db and by using the Dropbox public folder send it back to him. This is a minimal risk attack because the only interaction on the victim computer is to copy the file and this could be done via a program crafted only for this simple task or by using social engineering skills. The hardest part would be to deploy the program which copy the file but I am sure someone could come up with a solution, easily.