Dropbox’s Red Team Accidentally Discovers Apple Zero-Day Exploit Chain

Dropbox’s red team recently discovered an Apple zero-day exploit chain by accident while probing vulnerabilities in their software.

According to a new report from ZDNet, Dropbox’s head of security, Chris Evans, shared a story of how critical bugs in popular software can get fixed when good hackers do the right thing.

While probing DropBox’s cloud storage system for bugs, the company’s red team accidentally discovered a set of zero-day vulnerabilities in Apple’s software.

According to the report, the team conducted an attack simulation alongside third-party vendor and penetration test firm Syndis in order to see whether Dropbox was susceptible to being exploited. The team also tested how quickly the attack was uncovered as well as what the response of the data breach team was after the exploit.

“We’ve invested a lot in our hardening, detection, alerting, and response capabilities at Dropbox,” stated Chris Evans, Head of Security, in a blog post. “Even if an attacker breaks in and accesses various systems in our environments without triggering an alarm, we have extensive instrumentation to trace activity post-exploitation. So how do we know we’re doing a good job? That’s the kind of testing we were going for with our most recent attack simulation. Our testing goals included measuring the steady-state of our detection and alerting program, as well as measuring our team’s response when a breach has been identified.”

“Identifying new ways to break into Dropbox was in scope for this engagement, but even if none were found, we were going to simulate the effects of a breach by just planting malware ourselves (discretely, of course, so as not to tip off the detection and response team),” Evans added.

When Syndis performed their tests, they discovered that three previously unknown vulnerabilities could be chained together into a two-stage exploit that would perform remote code execution on a vulnerable macOS computer.

The three vulnerabilities Syndis found affected macOS 10.12.6, and involved a bypass of macOS Gatekeeper anti-malware. Chained together, an attacker could use them to take control of a Mac by getting a target, such as a Dropbox employee, to visit a malicious web page with Safari.

Here’s how ZDNet describes the three vulnerabilities:

The first vulnerability, CVE-2017-13890, allows attackers to abuse Safari for the purpose of automatically downloading and mounting disk images.

The second bug, CVE-2018-4176, utilizes the disk mount to cause an application to launch without user permission. Should a victim visit a malicious web page, however, the Gatekeeper system still only permits apps to launch which are signed by known developers.

This is where the final bug in the exploit chain, CVE-2018-4175, comes in. The vulnerability can be used to register new file extensions and launch applications which are then considered safe, thereby executing shell scripts without Gatekeeper becoming involved.

Apple promptly fixed the bugs just over one month later, and Evans notes that this response was “much better than the industry norm of ‘within 90 days,'” the timeframe Project Zero gives vendors to fix the bugs it reports, otherwise disclosing them publicly.

Evans also points out that “even if an attacker breaks in and accesses various systems in our environments without triggering an alarm, we have extensive instrumentation to trace activity post-exploitation.”

“We know that we are targeted by adversaries that could develop and use zero-day exploits against us, and we need to protect ourselves accordingly,” wrote Evans. “The risk of getting hit with zero-day exploits is a reality of being connected to the internet, but detecting these is tricky. A powerful zero-day will always gain a foothold, so this was a test of our instrumentation for detecting and alerting on post-exploit activity.”