Skip to content

Instantly share code, notes, and snippets.

@tanprathan

tanprathan/CVE-2018-12271.txt

Last active June 14, 2018 13:08
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tanprathan/6e8ed195a2e05b7f9d9a342dbdacb349 to your computer and use it in GitHub Desktop.
Save tanprathan/6e8ed195a2e05b7f9d9a342dbdacb349 to your computer and use it in GitHub Desktop.
Download ZIP
Dropbox CVE-2018-12271 Information
Raw
CVE-2018-12271.txt
> [Description]
> ** DISPUTED ** An issue was discovered in the com.getdropbox.Dropbox
> app 100.2 for iOS. The LAContext class for Biometric (TouchID)
> validation allows authentication bypass by overriding the LAContext
> return Boolean value to be "true" because the
> kSecAccessControlUserPresence protection mechanism is not used. In
> other words, an attacker could authenticate with an arbitrary
> fingerprint. NOTE: the vendor indicates that this is not an attack of
> interest within the context of their threat model, which excludes
> iOS devices on which a jailbreak has occurred.
>
> ------------------------------------------
>
> [Additional Information]
> The application implemented LAContext class on Biometric (TouchID)
> validation mechanism in Dropbox com.getdropbox.Dropbox (iOS: App Store
> Version 100.2) allows attacker to conduct runtime manipulation to
> bypass TouchID validation mechanism (Local authentication) by
> overriding the LAContext return Boolean value to be "true".Therefore
> invalid fingerprint on Dropbox authentication could be used to bypass
> the authentication checking in order to gain access into the app.
>
> Recommendation Implementing User Presence validation by using
> "kSecAccessControlUserPresence" attributes (Use the current TouchID of
> fingerprints when data saved to keychain. If current set changes, the
> TouchID evaluation fails) instead of using LAContext Class.
>
> Ref:https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06f-Testing-Local-Authentication.md
>
> POC:https://www.dropbox.com/s/n880ob3gtvfwryu/20180609_013320.mp4?dl=0
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> OWASP Mobile Top 10 2016:M1-Improper Platform Usage, CWE-287 - Improper Authentication
>
> ------------------------------------------
>
> [Vendor of Product]
> Dropbox
>
> ------------------------------------------
>
> [Affected Product Code Base]
> com.getdropbox.Dropbox (iOS: App Store) - 100.2
>
> ------------------------------------------
>
> [Affected Component]
> Fingerprint implementation
>
> ------------------------------------------
>
> [Attack Type]
> Context-dependent
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [CVE Impact Other]
> Authentication Bypass
>
> ------------------------------------------
>
> [Attack Vectors]
> An attacker who is able to access on jail-broken iOS device, could
> perform runtime manipulation on Bio-metric authentication which allow
> attacker to force the return value to be "true". A malicious
> application which may evade AppStore detection, could attack the
> Dropbox application on jail-broken device by hooking into Bio-metric
> mechanism in order to bypass authentication process.
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Prathan Phongthiproek
>
> ------------------------------------------
>
> [Reference]
> https://www.dropbox.com/s/n880ob3gtvfwryu/20180609_013320.mp4?dl=0
> https://hackerone.com/reports/363544
Use CVE-2018-12271.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment