{"id":9875,"date":"2013-03-15T17:57:45","date_gmt":"2013-03-15T16:57:45","guid":{"rendered":"https:\/\/www.corelan.be\/?p=9875"},"modified":"2013-03-15T17:57:45","modified_gmt":"2013-03-15T16:57:45","slug":"blackhateu2013-day2-dropsmack-how-cloud-synchronization-services-render-your-corporate-firewall-worthless","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2013\/03\/15\/blackhateu2013-day2-dropsmack-how-cloud-synchronization-services-render-your-corporate-firewall-worthless\/","title":{"rendered":"BlackHatEU2013 - Day2 - DropSmack: How cloud synchronization services render your corporate firewall worthless"},"content":{"rendered":"

Jake Williams<\/a> (@malwareJake) from CSR Group has more than a decade of experience with systems engineering, network defines, malware reverse engineering, penetration testing and forensics. He spent some good time looking at Cloud synchronization services and is presenting some findings in this talks.<\/p>\n

First of all, think of Dropbox (or any similar tools) as a C&C botnet channel by design. \u00a0The talk is not just about Dropbox, but most of the other tools appeared to be easier to break. \u00a0 Cloud sync services will take just any file placed in a synced folder and sync it to any other device that is connected to the service with that account, using the cloud as the central platform. \u00a0Infecting files destined for a backup site would be interesting too, Jake says.<\/p>\n

Dropbox has a history of security issues. \u00a0In 2011, researchers detected a horrible \"free beer\" authentication issue, allowing anyone to log in without a password. \u00a0 Some people also discovered that mobile file metadata could be retrieved in the clear. \u00a0Frank McClain and Derek Newton reversed the Dropbox database format and published the details, triggering the Dropbox devs to change the format. \u00a0In 2012, Ruff and Ledoux reverse engineered the software, build their own python interpreter to analyze the internal security\u2026 \u00a0triggering the Dropbox devs to continue to play the \"cat and mouse game\" and change logic again. \u00a0In short, Dropbox has been broken numerous times. \u00a0Again, Jake explains that he doesn't want to pick on Dropbox. \u00a0The current version of Dropbox sets the standard for similar tools and other similar tools might still contain the same issues that were fixed in Dropbox already.<\/p>\n

One of Jakes clients requested a \"no holds barred\" pen test, allowing him to simulate an APT attack. \u00a0 He looked at web portals, checked patch levels on internet facing services, tried social engineering tricks, but wasn't particularly successfull at that. \u00a0Spam-based attacks didn't work (but Jake still continued to use the technique, just in case he got lucky at a certain point in time). Browser based XSS-type-of-exploits didn't work either, so it was time for plan B.<\/p>\n

Jake found a way to get the CIO's personal email address via Facebook, by \"'attacking\" his kids. \u00a0Jake sent him a spear phishing email, asking some question about the fundraising project he's involved with (based on Facebook data) which eventually lead to owning his work laptop. \u00a0While looking at what he could find on the laptop, Jake discovered that a lot of corporate data were stored on the laptop, and synchronized into the cloud using Dropbox. \u00a0 Using this laptop, it is possible to send a file to any device used by the CIO. \u00a0 The ultimate goal would be to have a running implant, providing a reverse shell from inside the corporate network.<\/p>\n

So, what if the CIO is using Dropbox on the corporate machine\/desktop (behind the firewall) too? We already know he has corporate data on his laptop, synced via Dropbox. So far so good, but a standard reverse shell might be blocked by the firewall. Perhaps it would be possible to use the Dropbox C&C channel as a reverse comm channel.<\/p>\n

DropSmack<\/h3>\n

That's how DropSmack was born, which is a new PoC malware designed to use file sync services to provide a C&C comm channel. \u00a0It's not realtime, but thanks to improvements made by Dropbox, syncing is become faster. The idea is that, by using a reverse shell on the home laptop, and using DropSmack, it would be possible to exfiltrate data and communicate with the malware on the corporate computer, simply using the fact that Dropbox will sync anything.<\/p>\n

Jake says that DropSmack is slow and ugly and can probably be improved, but it works just fine from a PoC point of view.\u00a0DropSmack contains the following basic commands:<\/p>\n