CVE-2024-5924 - Dropbox Desktop Folder Sharing Mark-of-the-Web Bypass Vulnerability

On June 2024, security researchers disclosed a critical vulnerability affecting Dropbox Desktop that could endanger millions of users. Cataloged as CVE-2024-5924 (also referenced as ZDI-CAN-23991), this flaw allows remote attackers to bypass Windows' crucial “Mark-of-the-Web” (MotW) protection when syncing files received from shared folders. In simple terms, attackers can sneak dangerous files onto your computer without triggering the usual security warnings.

This article provides a deep dive into what this vulnerability is, how it works, and the actual risks involved. Code snippets and reference links are included for a thorough understanding.

What is Mark-of-the-Web (MotW)?

“Mark-of-the-Web” is a security feature used on Windows operating systems. Whenever you download a file from the internet, the file gets a special hidden tag (“Zone.Identifier”) that says where it came from (internet, intranet, local, etc). When you try to open such files, Windows (and tools like Microsoft Office and Edge) warn users or even block potentially unsafe content.

Without this tag, dangerous files can be opened without any warning or restriction.

Vendor: Dropbox, Inc.

- Affected Versions: Dropbox Desktop for Windows (specific versions not listed, but usual in current and previous desktop builds)
- Exploitability: User interaction is required (user must access a shared folder or open a synced malicious file).
- Reference: ZDI advisory (ZDI-CAN-23991)

Exploit Flow

1. Attacker Setup: An attacker creates a Dropbox account, uploads malicious files (like poisonous Office documents or trojans), and shares a folder with the victim.
2. User Action: The victim accepts the shared folder through either Dropbox Desktop or web, syncing it locally.
3. MotW Not Set: While syncing, Dropbox Desktop fails to set the “Mark-of-the-Web” on these downloaded files.
4. Execution: When the victim opens any of the downloaded files, Windows does NOT display its usual security warning. Malicious code inside the file can now run freely, as though it were a trusted local file from the victim’s own computer.

Code Snippet: Checking for MotW

Below is a simple PowerShell snippet to check whether a file has MotW.

# Check if Zone.Identifier exists
$file = "C:\Users\your-user\Dropbox (Shared)\malicious.docx"
if (Get-Item -Path $file -Stream Zone.Identifier -ErrorAction SilentlyContinue) {
    Write-Output "Mark-of-the-Web found."
} else {
    Write-Output "No Mark-of-the-Web. Potentially dangerous!"
}

If Dropbox has synced a file from a shared folder and you run this code and see No Mark-of-the-Web, you may be at risk.

Proof-of-Concept (Educational Use Only)

The following steps demonstrate the issue. Do not attempt unauthorized use.

On Attacker PC:

- Create a new malicious Office document containing VBA macro, or embed a payload using MSFvenom.

Double-click the document.

Expected Outcome:
Because there is *no* Mark-of-the-Web, there is no protective warning from Office/Microsoft Defender. The macro or payload executes in the user’s context.

Real-World Impact

- Bypass Defense: Even if you have all Windows security features turned on, this vulnerability lets attackers sneak dangerous content past your protection.
- Remote Code Execution: Malicious files—scripts, Office documents, or executables—can run as soon as you open them.
- Phishing & Malware: Attacks delivered through shared Dropbox folders may look completely innocent.


## Timeline / Disclosure

CVE Assigned: June 2024

- Public Disclosure / Patch: June 2024 (check for Dropbox Desktop updates)

Mitigation & Recommendations

- Update Dropbox: Make sure your Dropbox Desktop is updated to the latest version (Dropbox Update Page).

Verify MotW: When in doubt, check new files for the MotW stream before opening.

- User Education: Promote awareness around the risks of social engineering through trusted file-sharing services.

References

- Zero Day Initiative Advisory: ZDI-CAN-23991
- Latest Dropbox Security Updates
- Microsoft Mark-of-the-Web Documentation

Conclusion

CVE-2024-5924 is a sharp reminder that even the most trusted productivity tools can introduce vulnerabilities. Dropbox’s folder sync feature—loved for its convenience—is now a vector for bypassing OS-level security marking. Always keep your systems updated, use caution with shared content, and share this knowledge to help protect others.

Have questions or need assistance? Reach out to your company’s IT security team or visit the Dropbox help center for the latest guidance.

Timeline

Published on: 06/13/2024 20:15:16 UTC
Last modified on: 08/01/2024 21:25:03 UTC