UPDATE: The popular cloud storage service Dropbox was reportedly undercutting the efficacy of access space layout randomization (ASLR) by failing to enable that feature within the dynamic link libraries (DLLs) it injects into other applications. The company now claims it has resolved the issue.
Graham Sutherland explained in a post last week on codeinsecurity that Dropbox and similar tools tend to extend their functionalities to other programs using shell extensions. In Dropbox’s case, Sutherland says the extensions are likely used to add Dropbox functionalities to the menu that pops up when a user right-clicks a given file. These shell extensions are basically custom-designed DLLs which are loaded into process memory. Dropbox apparently uses two DLL extensions, one for 32-bit systems and another for 64-bit systems.
ASLR is a widely deployed security technique that randomly arranges the locations of key data on machines in order to keep attackers from reliably guessing where particular processes take place. The technique’s primary purpose is to protect machines against buffer overflow attacks.
Sutherland examined that way that Dropbox extended its functionalities to Mozilla’s Firefox Web browser and noticed that the extension DLLs at work there do not have ASLR enabled. More broadly, Sutherland’s findings suggest that Dropbox is arbitrarily injecting DLLs without ASLR enabled into any number of 32- and 64-bit applications and processes.
“This means that any vulnerability in Firefox becomes a lot easier to exploit, since the Dropbox module provides an unrandomised anchor for a ROP (return-oriented programming) chain,” Sutherland wrote on his blog last week.
He went on to explain that this practice causes “significant degradation in the efficacy of ASLR across the entire system,” because an attacker could exploit this by putting some executable code inside the to-be-injected DLL in order to produce an ROP chain that could then be used to execute malicious code on affected machines.
The vulnerability is of particular concern in cases where Dropbox is extending itself into high-risk programs such as browsers and torrent clients, Sutherland claims.
Sutherland notified Dropbox and its has confirmed the existence of the problem to codeinsecurity and are said to be working on a fix. It appears that the company has resolved the problem for 64-bit DLLs but not yet for the 32-bit variety.
“Our engineers are aware of this issue and actively working on fixing it,” Dropbox is quoted as having said in a statement on codeinsecurity. “Unfortunately, I can’t give you an exact timeline that a fix will become available. If you have any additional questions or concerns please let me know.”
A Dropbox spokesperson confirmed the issue in an email interview with Threatpost, saying that the problem has been fixed in the latest forums release.