Back in September of this year, researchers Decoder and Chris Danieli (Chris Danieli) found in Dropbox for Windows a zero-day vulnerability, which was immediately notified to the developers, and they promised to prepare patches before the end of October. Since the 90 days allotted for fixing the problem have already expired, and there is still no patch, experts disclosed information about the problem, although they have not yet begun to make publicly available PoC exploit.
Researchers explain that the problem is related to the Dropbox update mechanism, which works as a service and is responsible for keeping the application up to date. The fact is that the dropboxupdate service writes logs to C: ProgramData Dropbox Update Log, where a regular user can also add, overwrite and delete files. In addition, the SYSTEM account calls SetSecurity for the files located there, which opens up the possibility of exploitation via hard-links.
As a result, a bug can be used to increase privileges on an already hacked host. Decoder emphasizes that the problem was tested including the latest version 87.4.138.
To exploit the problem, the attacker will have to find out the name of the log file, including the exact time (up to a millisecond) and the PID of the update process. However, the researchers managed to circumvent this limitation by using instrumentscreated by Google Poject Zero. A video demonstrating a successful attack can be seen below.
As mentioned above, there is no official patch for this problem yet, but the developers of Acros Security, who created 0Patch, already released temporary "patch". In fact, they considered that temporarily disabling DropBox Updater logging would be the most reliable solution. This does not affect DropBox functionality or the update process at all, just the log remains empty.