Last active
June 14, 2018 13:08
-
-
Save tanprathan/6e8ed195a2e05b7f9d9a342dbdacb349 to your computer and use it in GitHub Desktop.
Dropbox CVE-2018-12271 Information
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
> [Description] | |
> ** DISPUTED ** An issue was discovered in the com.getdropbox.Dropbox | |
> app 100.2 for iOS. The LAContext class for Biometric (TouchID) | |
> validation allows authentication bypass by overriding the LAContext | |
> return Boolean value to be "true" because the | |
> kSecAccessControlUserPresence protection mechanism is not used. In | |
> other words, an attacker could authenticate with an arbitrary | |
> fingerprint. NOTE: the vendor indicates that this is not an attack of | |
> interest within the context of their threat model, which excludes | |
> iOS devices on which a jailbreak has occurred. | |
> | |
> ------------------------------------------ | |
> | |
> [Additional Information] | |
> The application implemented LAContext class on Biometric (TouchID) | |
> validation mechanism in Dropbox com.getdropbox.Dropbox (iOS: App Store | |
> Version 100.2) allows attacker to conduct runtime manipulation to | |
> bypass TouchID validation mechanism (Local authentication) by | |
> overriding the LAContext return Boolean value to be "true".Therefore | |
> invalid fingerprint on Dropbox authentication could be used to bypass | |
> the authentication checking in order to gain access into the app. | |
> | |
> Recommendation Implementing User Presence validation by using | |
> "kSecAccessControlUserPresence" attributes (Use the current TouchID of | |
> fingerprints when data saved to keychain. If current set changes, the | |
> TouchID evaluation fails) instead of using LAContext Class. | |
> | |
> Ref:https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06f-Testing-Local-Authentication.md | |
> | |
> POC:https://www.dropbox.com/s/n880ob3gtvfwryu/20180609_013320.mp4?dl=0 | |
> | |
> ------------------------------------------ | |
> | |
> [VulnerabilityType Other] | |
> OWASP Mobile Top 10 2016:M1-Improper Platform Usage, CWE-287 - Improper Authentication | |
> | |
> ------------------------------------------ | |
> | |
> [Vendor of Product] | |
> Dropbox | |
> | |
> ------------------------------------------ | |
> | |
> [Affected Product Code Base] | |
> com.getdropbox.Dropbox (iOS: App Store) - 100.2 | |
> | |
> ------------------------------------------ | |
> | |
> [Affected Component] | |
> Fingerprint implementation | |
> | |
> ------------------------------------------ | |
> | |
> [Attack Type] | |
> Context-dependent | |
> | |
> ------------------------------------------ | |
> | |
> [Impact Information Disclosure] | |
> true | |
> | |
> ------------------------------------------ | |
> | |
> [CVE Impact Other] | |
> Authentication Bypass | |
> | |
> ------------------------------------------ | |
> | |
> [Attack Vectors] | |
> An attacker who is able to access on jail-broken iOS device, could | |
> perform runtime manipulation on Bio-metric authentication which allow | |
> attacker to force the return value to be "true". A malicious | |
> application which may evade AppStore detection, could attack the | |
> Dropbox application on jail-broken device by hooking into Bio-metric | |
> mechanism in order to bypass authentication process. | |
> | |
> ------------------------------------------ | |
> | |
> [Has vendor confirmed or acknowledged the vulnerability?] | |
> true | |
> | |
> ------------------------------------------ | |
> | |
> [Discoverer] | |
> Prathan Phongthiproek | |
> | |
> ------------------------------------------ | |
> | |
> [Reference] | |
> https://www.dropbox.com/s/n880ob3gtvfwryu/20180609_013320.mp4?dl=0 | |
> https://hackerone.com/reports/363544 | |
Use CVE-2018-12271. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment