Theoretical vulnerability of Dropbox – platform to quick exchange files

On 23-03-2011 by Krzysztof Dziądziak With 16 Comments - Security

Have you ever dreamt about the ability to download new movies in a super fast, safe way from distributed network? Are you intrested in being always seeded, in downloading with maximum bandwidth wherever you are, 24/7, with super safe connection and being extremly anonymous — read below

 

Dropbox Logo

(NOTE: This article is about THEORETICAL ability to use Dropbox to other purpose. It has been done by laanwj. I have never done it before, because I just didn’t know how to do it — reverse engineering of PE/ELF files isn’t for me for today. Maybe it ISN’T EVEN TRUE what I’m writing here, but – why shouldn’t it be checked by others?)

EDIT: After my article about Dropbox’s public folder scaner, my theory about file exchanging in Dropbox cloud and Wladimir’s Dropship extending Dropbox with similar idea to my theory, I’m going to write third article about some innovating, theoretical idea of dangerous in Dropbox. Follow me on RSS, FB or Twitter @herbatnic. I will share it after my holidays (after 9th of May).>

A few days ago my boss told me that my English isn’t good enough, so I hope that you will be able to understand me and the idea which I want to share with you.

Let’s start. Take a look on Dropbox — adding new file to DB folder procedure

1. Alice has stolen file movie.avi using torrents
2. A drop file to her DB folder
3. *MAGIC*

1. Bob has taken THE SAME FILE movie.avi from his friend's USB stick
2. B drop file to his DB folder
3. *MAGIC*

Yeah. Ignorance is bliss. Due to human’s in-born laziness, I have to say that I like DB very much — the  simpler and faster, the better!

If during reading this article, you are getting bored, maybe you would like it more. If you want to know more, you might also liked it and for more information read the rest of the article below ;).

Let’s have a look at some details (scenario of adding one file by two persons — conclusions below):

1. Alice has stolen file movie.avi using torrents
2. A drop file to her DB folder
3. Dropbox use some kind of listener to determine that new file movie.avi has appeared
4. D is counting checksum of movie.avi -- I event don't know which hash is used here :(
5. D is sending information to Server "Hi man, I've got smth for ya, check this out: " file_name (movie.avi), checksum (movie.avi), other_parameters_of(movie.avi)
6. S->D: "Jo! I don't have file which you specified - send it to me"
7. S: CREATE FILE 1300860587_movie.avi in POOL_FOLDER -- NOT IN ALICE FOLDER!! -- comment bellow
8. S: add entry to data base -- file_name: movie.avi, check_sum: ABCD1234, path_with_timestamp: /pool_folder/1300860587_movie.avi
9. D->S: sending part of file
10. S: count checksum of received part
11. S->D: sending checksum
12. WHILE NOT EOF (movie.avi) GOTO 9
13. S: create hard link /pool_folder/1300860587_movie.avi to /usr/Alice/movie.avi
14. S->D: "done"
15. D->A: "GREEN TICK"
16. A: *SMILE*

1. Bob has taken THE SAME FILE movie.avi from his friend's USB stick
2. B drop file to his DB folder
3. Dropbox use some kind of listener to determine that new file movie.avi has appeared
4. D is counting checksum of movie.avi
5. D->S: "Hi man, I've got smth for ya, check this out: " file_name (movie.avi), checksum (movie.avi), other_parameters_of(movie.avi)
6. S->D: "I already have it. Show green tick, I will do the rest"
7. create hard link /pool_folder/1300860587_movie.avi to /usr/Bob/movie.avi
8. D->B: "GREEN TICK"
9. B: "FUCK YEA."

What does it mean for us?

  • Dropbox knows if sombody has already added a specified file to DB folder — DB uses parameters assosciated with specified file to determine it: (guesing) file name, check sum, date of create(?)
  • Dropbox is very smart and respects our bandwidth — it means that if a file which we want put to our DB folder exists on the server, the file won’t be sent, but the server creates a hard link to the existing file on his side
  • You will never know who else has an access to the same files as you. You can only determine IF sombody has already upoladed a specified file to DB.

And now a short pseudo-technical interruption, before the really interesting part:

  • I suppose that one file name (for example me.jpg) is associated to many checksums (and according paths to pool). It is relation one-to-many. Otherwise, if it works as many-to-many, we can find a collision of file me.jpg and get it without interference in executing code of DB engine. An example of some theoretical entries:
    • file_name check_sum path_in_pool desc
    me.jpg QWER2345 /pool_folder/1300860587_me.jpg
    me.jpg DEFE1231 /pool_folder/13008605222_me.jpg two diffrent me.jpg
    movie.avi ABCD1234 /pool_folder/1300860587_movie.avi our file :)
    cv.pdf FERE8543 /pool_folder/1304560587_cv.pdf previous article
    test.txt GHDT2236 /pool_folder/1304234587_test.txt
  • The file exists in *nix systems if there is at least one hard link to this file.

So… let’s get this party started! Let me introduce Alice and Bob who use the modfied procedure of adding a file to DB:

1. Alice has stolen file movie.avi using torrents
2. A drop file to her DB folder
3. Dropbox use some kind of listener to determine that new file movie.avi has appeared
4. D is counting checksum of movie.avi
4a. A is peep on calculated parameters by DB which are ready to be sent to Server
4b. A writes this information down
5. D is sending information to Server "Hi man, I've got smth for ya, check this out: " file_name (movie.avi), checksum (movie.avi), other_parameters_of(movie.avi)
5a. It is to late for A to determine values describing file (name, check sum, other parameters) because transmision is encrypted -- it need to much effort
6. S->D: ...
15. D->A: "GREEN TICK"
15a. A publicize anonymousy captured information about movie.avi on SOME SITE
16. A: *SMILE*

1. Bob has taken THE SAME FILE movie.avi from his friend's USB stick
1. B wants movie.avi. He has found parameters describing movie.avi on SOME SITE
2. B drop file to his DB folder
2. B provoke DB to action by putting empty file movie.avi to DB folder
3. Dropbox use some kind of listener to determine that new file movie.avi has appeared
4. D is counting checksum of movie.avi
4a. B is replacing data counted by DB with his own data gathered from SOME SITE
5. D->S: "Hi man, I've got smth for ya, check this out: " file_name (movie.avi), checksum (movie.avi), other_parameters_of(movie.avi)
6. S->D: "I already have it. Show green tick, I will do the rest"
7. create hard link /pool_folder/1300860587_movie.avi to /usr/Bob/movie.avi
8. D->B: "GREEN TICK"
9. B: "FUCK YEA."
10. D isn't stupid -- it has timer (or listen to call functions like createFile, openFile, etc) - and realised that file on B's HDD is different than the one on server.
11. D->S is updating file on server -- sending empty movie.avi
12. B is using recover function on DB site and proper file movie.avi is being downloaded to B
13. B is waiting until dowload will finish

Questions:

  • How strong is the dependance of the data on the local DB on the computer which describes an actual state of our files upon the remote data base? It might be a problem, or some kind of desynchronisation of local and remote base. Otherwise — in the same way we can fool the local data base
  • Time relations between folowing procedure: put empty file, achive file which we want to have on the server side, overwrite server file with our empty, use procedure of recover, download desired file. Is there any way to determine who is doing it proper using standard client, and who aren’t?

If it is true, what kind of profits will we get?

  • super fast download — with max speed downlink
  • don’t care about seeds — the seeder is dropbox server
  • protection against file corruption
  • encrypted connection
  • anonymity
  • distributed data — the file belongs to noone and everyone at the same time
  • for now I don’t see a mechanism which allows DB to check, if the file was put on a traditional way, or as a kind of injection

What can we do with that? According to me, there are two possibilities to check this theory:

  • the one mentioned above — brute force – changing contet of me.jpg and looking for a collision
  • an analitical way — creating a loader which allows to peep/inject data. In order to check it, we use two clients/instances.

If you have any other ideas related to this article and information included here, just comment on it. If you need some help with testing your solution for this idea — I’m ready to reply for your comments.

Like it! Share it! Discuss! Enjoy :)

Związane z tematem, który czytasz:

Zemanta
, , , , , ,

16 Comments

  1. Anonim 10-04-2012

    Hi, I would like to know if someone is working in detecting vulnerabilities in Droxbox. I am decided to participate in this. I Have strong background in PKI, software developper and networks.

    Thank you.
    Fran

  2. toordog 25-11-2011

    I’m currently looking for a reverse engineering work on the protocol used behind dropbox to manage the delta differential and to allow to sync only the part of the data that is update.

    If someone has an article or a group that could help me understanding it.

    Thank you,

  3. toordog 25-11-2011

    Chuck, I think this article was too technical for you. You are absolutely wrong about your understanding of this article.

    I would highly suggest you to post nothing when you don’t understand what you read.

    Now, for some altruist on my side, Here is the dummy version of it.

    Assumptions:
    1- Assuming that you would like to watch the latest movie, let say Immortal.
    1- Assuming you don’t want to use a bitorrent or any other slow method to download it on your computer.
    2- Assuming that someone already synced the file of the movie in his DB account.

    You would use the technic described in this article to make it available in your DB account and to download it on your computer at high speed.

    You don’t need to sync it to your all device as you can set rules to avoid big file to sync to your mobile device for example.

    Again, good works on this articles, it was very interesting.
    Thank you too for sending me the link to the information to secure it on a sync server with dedup enable. That was very useful for me.

  4. Krzysztof Dziądziak 25-11-2011

    @Olivier in article http://forwardfeed.pl/index.php/2011/04/28/dropship-whats-next/ you can find my ideas of methods how to avoid this situation, and run whole system of deduplication again.

    Regards!

  5. Olivier 24-11-2011

    Congratulation for this analysis, this is a brillant reverse engineering thinking.

    Would be curious about how it could be avoid and to patch this design error.
    Keep me post if you have an idea.

    Thank you,

  6. Drzwi antywłamaniowe | Forwardfeed's 02-11-2011

    [...] jest to jakaś wiedza tajemna (w przeciwieństwie do wymyślonego przeze mnie sposobu na Dropboxa) — w cywilizowanych krajach takich jak np. Dania organizowane są zawody w otwieraniu [...]

  7. האם Dropbox ניסתה להרוג את Dropship? | Newsgeek 26-04-2011

    [...] פיתח Wladimir van der Laan, לפי רעיון שהועלה לראשונה על-ידי Krzysztof Dziądziak. מי שרוצה הסבר טכני מעמיק יותר מזה, מוזמן לקרוא את [...]

  8. Derek Martin 24-04-2011

    Fantastic idea, but I don’t understand how this is anonymous. You need a dropbox account, and dropbox knows what files you put in it. I’m sure the police/FBI can and do subpoena dropbox for historical records of people’s accounts, and all files they have had in the past. You don’t have to share a pirated file for it to be illegal. As they say, possession is nine tenths if the law :(

  9. Dropship - lepszy torrent? | Forwardfeed's blog 23-04-2011

    [...] technicznym Dropshipa można znaleźć dodatkowe informacje, a w moim wcześniejszym artykule Dropbox jako platformy wymiany plików można przeczytać o zasadzie działania [...]

  10. Krzysztof Dziądziak 23-04-2011

    YEAH!! It realy works!! Just tested :) – maybe some site to exchange JSON files? ;) Again, this time publicly — GREAT JOB!!

  11. Wladimir 23-04-2011

    It can be done with this tool: http://bit.ly/g0QoGq

  12. Krzysztof Dziądziak 19-04-2011

    Yeah, I’m waiting for someone who will do it. I don’t think that is hard to do.

  13. Wladimir 18-04-2011

    I just had this idea as well. If someone had reverse-engineered the Dropbox protocol it’d be pretty easy to do: Just pretend that you have the file with hash XXX so that Dropbox puts it into your account. No need to actually generate a collision (which is very hard and time-consuming).

  14. Krzysztof Dziądziak 23-03-2011

    Similar idea here: http://news.ycombinator.com/item?id=2354396. Lesson for future – write as soon as possible about ideas and thoughts

  15. Krzysztof Dziądziak 23-03-2011

    OK – make some quick test. Ask some friend about some big file which is on his DB (yeah on all his devices). Take it and try upload this file – for example some 500Mb. You will „upload” this file in few seconds and NOBODY PUSH it to you. Now, after „uploading” delete this file from your folder, go to dropbox website and use undelete options – what will you get? You will start download file which wasn’t sending to you!

  16. Chuck 23-03-2011

    You are completely missing/ignoring/misunderstanding a crucial portion of the DropBox mechanic, which is to push copies of a file in the cloud out to all attached devices. It’s primary job is to keep multiple computers in sync, with physical copies present on each device.

    So while your „magic” upload appears to be instantaneous to the cloud, it only appears so for the simplistic case where each user has only one computer connected to one dropbox account. And it only simplifies the push to the cloud, not the push to linked devices.

    And as for your „vulnerability”, you don’t see files being pushed to you until the push is complete. So I think this article was pretty much a waste of 5 minutes to read…

Dodaj komentarz