Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • 169 views

    Dropbox Security

    Uploaded by

    glowworms
    This document provides an overview and critical analysis of the Dropbox software and its security. It describes Dropbox's popularity with over 50 million users and $1 billion valuation. It then analyzes some past security issues with Dropbox and motivations for further study. The document examines Dropbox's file synchronization protocols, encryption implementation, and network traffic. It finds issues with outdated OpenSSL and encryption libraries. It details how the Dropbox configuration database can be decrypted and important secrets extracted. It also describes attacks possible against the LAN sync protocol used between Dropbox clients.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd

    Dropbox Security

    Uploaded by

    glowworms
    169 views31 pages
    This document provides an overview and critical analysis of the Dropbox software and its security. It describes Dropbox's popularity with over 50 million users and $1 billion valuation. It then analyzes some past security issues with Dropbox and motivations for further study. The document examines Dropbox's file synchronization protocols, encryption implementation, and network traffic. It finds issues with outdated OpenSSL and encryption libraries. It details how the Dropbox configuration database can be decrypted and important secrets extracted. It also describes attacks possible against the LAN sync protocol used between Dropbox clients.

    Original Description:

    Security of Dropbox files and services

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document provides an overview and critical analysis of the Dropbox software and its security. It describes Dropbox's popularity with over 50 million users and $1 billion valuation. It then analyzes some past security issues with Dropbox and motivations for further study. The document examines Dropbox's file synchronization protocols, encryption implementation, and network traffic. It finds issues with outdated OpenSSL and encryption libraries. It details how the Dropbox configuration database can be decrypted and important secrets extracted. It also describes attacks possible against the LAN sync protocol used between Dropbox clients.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    169 views31 pages

    Dropbox Security

    Uploaded by

    glowworms
    This document provides an overview and critical analysis of the Dropbox software and its security. It describes Dropbox's popularity with over 50 million users and $1 billion valuation. It then analyzes some past security issues with Dropbox and motivations for further study. The document examines Dropbox's file synchronization protocols, encryption implementation, and network traffic. It finds issues with outdated OpenSSL and encryption libraries. It details how the Dropbox configuration database can be decrypted and important secrets extracted. It also describes attacks possible against the LAN sync protocol used between Dropbox clients.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 31

    A CRITICAL ANALYSIS OF DROPBOX SOFTWARE SECURITY

    Florian LEDOUX florian.ledoux(at)eads.net @Myst3rie

    Nicolas RUFF nicolas.ruff(at)eads.net

    EADS Innovation Works


    SE/IT department Suresnes, FRANCE

    @newsoft

    DROPBOX OVERVIEW
    Dropbox: a leader in Cloud backup

    o o o

    Over 50 million users Estimated company value: over $1 billion (Year: 2011 / Source: Wikipedia)

    Client software available for

    Windows, OS X, Linux, Android, iOS and web browser

    Lot of competitors

    Google Drive, SkyDrive, iCloud, box.com ...

    DROPBOX OVERVIEW

    Dropbox security record (partial)

    o
    o o

    March 2011: Dropbox client for Smartphones do not make use of SSL/TLS encryption
    April 2011: Derek Newton realized that login/password is useless (if you happen to know host_id secret) June 2011: a software upgrade issue provided passwordfree access to all user accounts for one day

    o
    o

    USENIX 2011: "Dark Clouds on the Horizon


    August 2012: a stolen password from Dropbox employee lead to massive spam

    DROPBOX OVERVIEW
    Why studying Dropbox ?

    o o o o

    Dropbox is a leader No previous work on the effective implementation "LAN Sync" protocol routinely observed during penetration testing assignments We are happy Dropbox users too

    DROPBOX OVERVIEW
    Further analysis holds true for client versions 1.1.x to 1.5.x
    Windows, Linux and OS X clients are mostly written in Python

    "How Dropbox Did It and How Python Helped" (PyCon 2011)

    Windows client

    o o o

    Generated using PY2EXE A ZIP with all PYC files to be found within PE resources Python 2.5 interpreter has been slightly customized

    Source quest

    SOURCE QUEST
    Standard PYC (redux)

    o o

    PYC is Python bytecode PYO is Python optimized bytecode


    Timestamp Marshalled bytecode

    Bytecode version

    Dropbox PYC

    SOURCE QUEST
    Diffing PYTHON25.DLL with original

    o o o

    53 modified functions (out of ~4500) Opcodes have been swapped in PyEval_EvalFrame() Decryption function added in ReadObjectFromString()

    Which encryption algorithm is used ?

    o o

    0x9e3779b9 constant is linked to TEA symmetric encryption family Here: XXTEA MT_getnext() / MT_decrypt() functions are involved

    SOURCE QUEST

    XXTEA implementation

    void btea(char *data, uint32 len, uint32 const key[4])


    Key seed Block len

    ReadObjectFromString()
    o o o
    Read 1st byte (e.g. 0x63 = code) 1st DWORD (e.g. 0x0479F970) used for key generation 2nd DWORD (e.g. 0x208e) gives block size

    Not as easy as it may sounds

    Spurious NULL bytes all over the place

    SOURCE QUEST
    Bytecode decompilation

    o o o o o

    Pyretic / unpyc o Targets Python 2.5 (Fails in real life) Uncompyle2 o Targets Python 2.7 only (Works in real life)

    Our solution
    Uncompyle2 fork Bytecode translator 2.5 & 2.6 2.7 Single decompilation engine Kudos to Eloi Vanderbeken

    https://github.com/Mysterie/uncompyle2

    CODE INJECTION (BONUS)


    PYTHON25.DLL is not easy to reach

    o o o
    Yet

    Anonymously mapped in memory Not easy to locate import / export tables Some functions like PyRun_File() are nop'ed

    o o

    PyRunString() is not patched Arbitrary Python statements can be run in Dropbox context

    DEBUG MODE
    o o
    Debugging is hard DBDEV environment variable to the rescue

    Dropbox <= 1.1 def is_valid_time_limited_cookie(cookie): t_when = int(cookie[:8], 16) ^ 1686035233

    if abs(time.time() - t_when) < 172800:


    if md5.new(cookie[:8] + 'traceme').hexdigest()[:6] == cookie[8:]:

    return True

    DEBUG MODE

    Dropbox 1.2
    IS_DEV_MAGIC = DBDEV and hashlib.md5(DBDEV).hexdigest().startswith('c3da6009e4')

    DEBUG MODE

    DBTRACE can help, too

    10.224 | MainThread: Dropbox-win-1.1.45 (2796) starting 10.865 | MainThread: u'host_id' = u'ab75c...

    13.509 | MainThread: Opened Dropbox key 32.356 | RTRACE: Sending trace 1327936014 (C:\...\Dropbox\l\4f26b5fc) 33.058 | STATUS: Creating named pipe 59.318 | UPLOAD_HASH: Next needed hash: AUCwQ6iYIfVxGs1f6HjkWZgqcbmWZiTCs6HU8HRykzU

    DEBUG MODE

    and many others

    o o o

    DBMEMPROF, DBCPUPROFILE, DBPROFILE FAKE_BLOCK DROPBOX_HOST

    Who's in charge here?

    o o

    host = 'tarak.corp.dropbox.com Not exposed on the Internet

    GIMME RESULTS

    not excuses !

    CONFIGURATION DATABASE
    SQLite 3 database: config.dbx

    o o

    Dropbox < 1.2: easy to dump Dropbox 1.2: "encrypted" SQLite

    Encryption
    Not: http://sqlcipher.net/
    But: http://www.hwaci.com/sw/sqlite/see.html Activation password == license key == default value

    Namely: 7bb07b8d471d642e

    CONFIGURATION DATABASE
    Encryption key is machine-protected
    Windows o Seed stored in HKCU\Software\Dropbox\ks\Client o DPAPI encryption

    Linux
    o o
    o o o
    Seed stored in ~/.dropbox/hostkeys Custom "obfuscator" (reversible encryption)

    Mac OS X
    Seed stored in ~/.dropbox/hostkeys Custom "obfuscator" based on IOPlatformSerialNumber, DAVolumeUUID and more Kudos to the Mac OS X developer for full API re-implementation!

    CONFIGURATION DATABASE
    Effective encryption key is PBKDF2(seed)

    Please use this information for forensics purpose only

    USER_HMAC_KEY = '\xd1\x14\xa5R\x12e_t\xbdw.7\xe6J\xee\x9b'

    APP_KEY = '\rc\x8c\t.\x8b\x82\xfcE(\x83\xf9_5[\x8e'
    APP_IV = '\xd8\x9bC\x1f\xb6\x1d\xde\x1a\xfd\xa4\xb7\xf9\xf4\xb8\r\x05' APP_ITER = 1066 USER_KEYLEN = 16 DB_KEYLEN = 16

    Network protocols

    NETWORK PROTOCOLS
    Network traffic

    o o o

    fully transported over HTTPS OpenSSL + nCrypt wrapper Proper certificate checking

    root_certs = '# Subject: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, () -----BEGIN CERTIFICATE-----\n MIIDEzCCAnygAwIBAgIBATA

    ()
    L7tdEy8W9ViH0Pd\n -----END CERTIFICATE-----\n\n'

    Hardcoded CA list

    NETWORK PROTOCOLS
    Issues
    OpenSSL 0.9.8e ?

    o o

    as of DropBox 1.4.17 Hello CVE-2011-4109, CVE-2012-2110, and others

    nCrypt completely buggy and unsupported software?


    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614051

    No patch since 2007

    NETWORK PROTOCOLS
    File synchronisation: RSYNC protocol

    File storage: Amazon Cloud S3


    Implementation details

    o o o

    Blocks of 4 MB in size
    SHA-256 of each block Encryption is provided by SSL/TLS only

    DROPBOX PROTOCOL
    Servers of interest
    Blockserver: manages 4MB blocks Authserver: user authentication, software setup Metaserver: handles information requests about files and directories Metaexcserver / blockexcserver: handle exceptions Statserver / notifyserver: statistics

    set_server(ret, 'blockserver', secure=True, timeout=60, **non_exc_kwargs) set_server(ret, 'metaserver', secure=True, timeout=90, **non_exc_kwargs) set_server(ret, 'metaexcserver', secure=True, timeout=90, **exc_kwargs) set_server(ret, 'blockexcserver', secure=True, timeout=90, **exc_kwargs) set_server(ret, 'statserver', secure=True, timeout=90, **exc_kwargs) set_server(ret, 'notifyserver', secure=False, timeout=90, **non_exc_kwargs)

    DROPBOX PROTOCOL
    HOST_ID

    o o o o o o

    Unique and forever user identifier 128-bit length Server-side generated on 1st installation Not affected by password change Stored in local configuration database

    HOST_INT
    Unique identifier per device

    NS_MAP o User namespace identifier o Killed "dropship" hack


    Before: get_block( hash_for_block ) After: get_block( hash_for_block ; ns_map + host_id)

    LAN sync protocol

    LAN SYNC PROTOCOL


    Local sync between two Dropbox clients

    o o

    Discovery: UDP/17500 broadcasts Data exchange: TCP/17500

    Data exchange protocol

    o o

    Each Dropbox instance can act as a Client or a Server


    Client SSL/TLS authentication

    Key pair in configuration database

    LAN SYNC PROTOCOL


    Attacking a client in server mode
    Requires a server-known key pair

    LAN SYNC PROTOCOL


    Attacking the client mode

    Server certificate is not checked

    LAN Sync protocol (redux)

    o o o o

    HELLO / HOWDY

    PING / PONG
    HAS / HASREPLY / HASFAIL (+ hash) GET / GETREPLY / GETFAIL (+ hash & file content)

    LAN SYNC PROTOCOL

    Demo !

    QUESTIONS

    You might also like