lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu May 19 15:10:33 2005
From: deeper at gmail.com (Daniel)
Subject: Mac OSX 10.4 Dashboard Authentication Hijacking
	Vulnerability

Ok lets look at this issue again:

>>Dashboard widgets can hijack
>>these credentials by calling the system's built-in "sudo" command and
>>execute arbitrary functions with full administrative privileges.
>>Because the sudo command trusts users based on username and tty, the
>>widget is never prompted for a sudo password, but immediately
>>authenticated based on the user's previous manual authentication for
>>whatever other task they were performing. Because Dashboard widgets
>>can be modified to run in the background, they can also sit and wait
>>for a user to authenticate, executing malicious commands when this
>>occurs.

Ok im running 10.4.1, i have a piece of javascript which calls sudo,
yet im asked for my password straight after the sudo call has been
made, therefore it WILL not run automatically.In order for you to have
this fully exploitable widget, you would need the user to 1st call
sudo to perform and action and then have the widget piggyback onto
that session, surely?

>>Combining this vulnerability with Safari's auto-install
>>vulnerability, it may be possible for a widget to maliciously install
>>itself by visiting a website, wait for the user to authenticate to
>>perform a task, and take full control of a system.

with 10.4.1, once any widget has been downloaded, the user is
presented with a box warning of the danger. If they do not do
anything, the download DOES not take place and there is no code stored
on the system.

I'm all for people finding holes in operating systems and reporting
them, but with a matter like this it seems that there is more
theoretical exploitation than actual exploitation.

Tell you what, write up a bad widget and send it to us and lets see if
we can replicate it..

ps.. http://www.apple.com/support/security/

that e-mail address works, ive sent in a few issues myself regarding
10.3 and had no problems so far


On 5/19/05, Jonathan Zdziarski <jonathan@...learelephant.com> wrote:
> 
> Seems to me that you can report bugs from
> http://developer.apple.com/bugreporter/index.html
> Membership is required, but the free "online" membership is
> sufficient.
> 
> Unfortunately, no. After logging in, I get this error when I try and file a
> bug report:
> 
> You do not have access to this Application, Please get access and try again
> 
>  
> It appears that you have to pay to report bugs to Apple.
> 
> Jonathan 
> 
>  
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ