BlackHatEU2013 – Day2 – DropSmack: How cloud synchronization services render your corporate firewall worthless

corelanc0d3r March 15, 2013
This article has 8,600 views

Jake Williams (@malwareJake) from CSR Group has more than a decade of experience with systems engineering, network defines, malware reverse engineering, penetration testing and forensics. He spent some good time looking at Cloud synchronization services and is presenting some findings in this talks.

First of all, think of Dropbox (or any similar tools) as a C&C botnet channel by design.  The talk is not just about Dropbox, but most of the other tools appeared to be easier to break.   Cloud sync services will take just any file placed in a synced folder and sync it to any other device that is connected to the service with that account, using the cloud as the central platform.  Infecting files destined for a backup site would be interesting too, Jake says.

Dropbox has a history of security issues.  In 2011, researchers detected a horrible “free beer” authentication issue, allowing anyone to log in without a password.   Some people also discovered that mobile file metadata could be retrieved in the clear.  Frank McClain and Derek Newton reversed the Dropbox database format and published the details, triggering the Dropbox devs to change the format.  In 2012, Ruff and Ledoux reverse engineered the software, build their own python interpreter to analyze the internal security…  triggering the Dropbox devs to continue to play the “cat and mouse game” and change logic again.  In short, Dropbox has been broken numerous times.  Again, Jake explains that he doesn’t want to pick on Dropbox.  The current version of Dropbox sets the standard for similar tools and other similar tools might still contain the same issues that were fixed in Dropbox already.

One of Jakes clients requested a “no holds barred” pen test, allowing him to simulate an APT attack.   He looked at web portals, checked patch levels on internet facing services, tried social engineering tricks, but wasn’t particularly successfull at that.  Spam-based attacks didn’t work (but Jake still continued to use the technique, just in case he got lucky at a certain point in time). Browser based XSS-type-of-exploits didn’t work either, so it was time for plan B.

Jake found a way to get the CIO’s personal email address via Facebook, by “‘attacking” his kids.  Jake sent him a spear phishing email, asking some question about the fundraising project he’s involved with (based on Facebook data) which eventually lead to owning his work laptop.  While looking at what he could find on the laptop, Jake discovered that a lot of corporate data were stored on the laptop, and synchronized into the cloud using Dropbox.   Using this laptop, it is possible to send a file to any device used by the CIO.   The ultimate goal would be to have a running implant, providing a reverse shell from inside the corporate network.

So, what if the CIO is using Dropbox on the corporate machine/desktop (behind the firewall) too? We already know he has corporate data on his laptop, synced via Dropbox. So far so good, but a standard reverse shell might be blocked by the firewall. Perhaps it would be possible to use the Dropbox C&C channel as a reverse comm channel.

DropSmack

That’s how DropSmack was born, which is a new PoC malware designed to use file sync services to provide a C&C comm channel.  It’s not realtime, but thanks to improvements made by Dropbox, syncing is become faster. The idea is that, by using a reverse shell on the home laptop, and using DropSmack, it would be possible to exfiltrate data and communicate with the malware on the corporate computer, simply using the fact that Dropbox will sync anything.

Jake says that DropSmack is slow and ugly and can probably be improved, but it works just fine from a PoC point of view. DropSmack contains the following basic commands:

  • PUT
  • GET
  • DELETE
  • EXECUTE
  • SLEEP
  • MOVE
To get a command to execute, create a text file that contains the command and copy it into the Dropbox folder.  DropSmack will detect the new file, execute the command, and remove the file again.   Dropbox will show a popup when a new file is added or deleted, but this popup disappears automatically. In general, pick “smart” names when exfiltrating/injecting new files, because dropbox will show the filename to the end user.

To install DropSmack:

  1. Embed it in a file that is already synced
  2. Add some macro goodness  (msfencode with vbs payload works well)
  3. Load the file back to the machine you can access
  4. File automatically syncs
  5. Wait until the user opens the file….

Waiting until the user opens the file is not… ideal.  But since the user probably created the original file himself, it might be trivial to use a social engineering trick to get him to open “his own” file.

Detecting DropSmack

  • Traditional IDS systems won’t work. Dropbox uses SSL encryption.
  • Firewalls mostly won’t work either.
  • Antivirus… can be fooled as well.
  • Most DLP Software doesn’t care either

You may be able to detect DropSmack if you have an application whitelist policy, because it might alert/prevent the execution of DropSmack applications/processes.  On the other hand, there may be ways around this (powershell injection etc).   In the end, it comes down to a black & white decision on whether to allow sync services such as Dropbox.

All of the detection methods are focused on finding illicit synchronisation software installations.  If you allow the software, you also allow the communication channel, which means it can be abused, by design.  To further detect installations, you could:

  • Look for traces of the Dropbox LanSync protocol (TCP/UDP 17500).
  • Look for DNS requests to servers related to sync services (might be a bit painful)
  • Block access to Amazon SE (which is used by the Dropbox back-end)… but breaks other stuff
  • Scan user profile directories for illicit installations.  The reason these apps are installed in the profile folder is because this doesn’t trigger the UAC prompt. In any case, this is probably the best way to detect the use of Dropbox.
  • Check for DropBoxSync.exe (which is the DropSmack process)
  • Check the “deleted files” log, because those should/might indicate the creation/deletion of DropSmack command files.
  • Keep in mind that other people might have been using similar techniques to do this.
  • Don’t forget to agree on a policy with company management, communicate it, and take pro-active & reactive measures to detect & remove illicit installations if that is what management agrees with.
  • If you HAVE to use a sync service, pick one that at least encrypts their local (sqlite) database.

This concludes my coverage of BlackHat Europe 2013.  It was a great conference, and – as usual – the perfect opportunity to meet old friends and make new ones.  Hope to see you at another conference some time soon.

Take care & stay safe !

Peter



Similar/Related posts:

Default ThumbnailBlack Hat Europe 2013 – Preview Default ThumbnailHappy New Year – here’s my special gift to you, corelanc0d3r Default ThumbnailWhy Vista 32bit doesn’t use more than 3Gb of memory, even if you have more RAM installed Default ThumbnailBlackHat EU 2012 – Day 2 Default ThumbnailBlackHat Europe 2011 / Day 01

Tags:

, , , ,

© Corelan Consulting BV. All rights reserved. ​The contents of this page may not be reproduced, redistributed, or republished, in whole or in part, for commercial or non-commercial purposes without prior written permission. See the Terms of Use and Privacy Policy for details.