How Dropbox’s red team discovered an Apple zero-day exploit chain by accident
Dropbox’s head of security Chris Evans outlined the situation, in which the firm’s Offensive Security red team — security specialists tasked with attacking a system for the purpose of finding holes and weaknesses — came across vulnerabilities in the Apple Safari browser.
The red team conducted an attack simulation with the help of third-party vendor and penetration test firm Syndis to see if Dropbox was susceptible to being exploited.
However, the experiment went further than most pen tests. As Dropbox is a repository for vast amounts of user data, the company’s security team also tested how quickly the attack was uncovered, and what the response of the data breach team was, post-exploit.
“Identifying new ways to break into Dropbox was in scope for this engagement, but even if none were found, we were going to simulate the effects of a breach by just planting malware ourselves (discretely, of course, so as not to tip off the detection and response team),” Evans added.
As the company geared up to simulate a security breach, they realized they did not have to simulate anything at all — as Syndis stumbled across an exploitable set of zero-day vulnerabilities in Apple software.
When linked together, the bugs — which impact macOS before 10.13.4 — permitted attackers to execute arbitrary code on a victim’s system simply by visiting a malicious web page.
“[The vulnerabilities] in Apple software we use at Dropbox didn’t just affect our macOS fleet, it affected all Safari users running the latest version at the time,” the executive says.
The first vulnerability, CVE-2017-13890, allows attackers to abuse Safari for the purpose of automatically downloading and mounting disk images.
The second bug, CVE-2018-4176, utilizes the disk mount to cause an application to launch without user permission. Should a victim visit a malicious web page, however, the Gatekeeper system still only permits apps to launch which are signed by known developers.
CNET: Microsoft now lets you log into Outlook, Skype, Xbox Live without a password
This is where the final bug in the exploit chain, CVE-2018-4175, comes in. The vulnerability can be used to register new file extensions and launch applications which are then considered safe, thereby executing shell scripts without Gatekeeper becoming involved.
Together, they resulted in an exploit chain which permitted arbitrary code execution on vulnerable systems when a malicious, crafted web page was visited.
The vulnerabilities found during the engagement have been credited to Syndis via the Dropbox Offensive team.
The security team’s findings were disclosed to Apple on February 19, leading to acknowledgment from the iPad and iPhone maker on the same day. After a month of testing and creating a patch, Apple deployed a security fix on March 29.
ProsyscomTechNews: How IoT medical devices save your life and threaten your privacy
However, disclosure appears to have been delayed due to CVE-2018-4389, a vulnerability in macOS Mojave 10.14 attributable to Syndis and described as a means to “process a maliciously crafted Mail message which may lead to UI spoofing.” This flaw was not resolved until October 30.
“Dropbox protects the data of more than 500 million registered users. We know that we are targeted by adversaries that could develop and use zero-day exploits against us, and we need to protect ourselves accordingly,” Evans says. “This engagement was a win for us, for Apple, and for internet users on various levels. Not only did we get to test our defensive posture, we also made the Internet safer by identifying and reporting vulnerabilities in macOS.”