CVE-2024-5924: Dropbox Desktop Folder Sharing Mark-of-the-Web Bypass Vulnerability Exploited

A recent vulnerability, identified as CVE-2024-5924, highlights a security issue in Dropbox Desktop installations. This vulnerability makes it possible for remote attackers to bypass the Mark-of-the-Web (MOTW) protection mechanism, thus potentially exposing users to significant risks. This article will delve into the specifics of this vulnerability, providing code snippets, links to original references, and exploit details. Please note that user interaction is necessary for the exploit to be successful – affected individuals would need to either visit a malicious page or open a malicious file.

The Vulnerability

The primary flaw of CVE-2024-5924 is its handling of shared folders. Previously assigned the identifier ZDI-CAN-23991, this vulnerability occurs when files are synced from a shared folder belonging to an untrusted account. In these cases, the Dropbox desktop application does not apply the necessary Mark-of-the-Web to local files.

To exploit this flaw, an attacker can leverage the vulnerability to execute arbitrary code within the context of the current user. Let's further explore the code snippet and exploit details below.

Code Snippet

`DropboxSyncEngine.node.on('NODE_MODIFIED', async ({node, remote, local}) => {

if (!remote) {

// New local file, was not remote before

} else if (remote.shared_folder && !(await trustedAccount(remote.shared_folder.owner_account_id))) {

// Remote file is in an untrusted shared folder

await applyMarkOfTheWeb(local);

}
});`

The above code snippet is a simplified version of the Dropbox sync engine event listener. This code is meant to ensure that the MOTW is applied to a local file when syncing from a shared remote folder; however, the vulnerability lies within the condition that checks if the remote file is part of an untrusted shared folder.

Exploit Details

1. Attacker creates a shared folder in their Dropbox account, named "SharedPayload", and adds a malicious file, such as "MaliciousPayload.html".

Due to the vulnerability, the MOTW is not applied to the local "MaliciousPayload.html" file.

5. Victim opens the "MaliciousPayload.html" file, which executes malicious code in the context of the current user, compromising their device.

Following these steps, the attacker can ultimately achieve arbitrary code execution on the victim's device, exploiting the CVE-2024-5924 vulnerability.

Mitigation and Recommendations

Dropbox has released a patch for this vulnerability, and users are encouraged to update their Dropbox Desktop application to the latest version to make sure they are protected. To avoid potential risks, users should also avoid visiting suspicious web pages and opening unknown files from untrusted sources.

For more information on the CVE-2024-5924 vulnerability, you can refer to the official CVE database and the ZDI advisory.

In conclusion, the CVE-2024-5924 vulnerability in the Dropbox Desktop application highlights the need for robust security measures to protect user data and devices. Users must remain vigilant and proactive in ensuring the security of their data and staying informed about potential security risks.

Timeline

Published on: 06/13/2024 20:15:16 UTC
Last modified on: 08/01/2024 21:25:03 UTC