lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu May 19 15:42:21 2005
From: jonathan at nuclearelephant.com (Jonathan Zdziarski)
Subject: Mac OSX 10.4 Dashboard Authentication Hijacking
	Vulnerability


> But then isnt this an issue with Sudo's grace period (ie should it be
> tied down to that terminal process calling it and not other ones?)

I suspect that since the dash runs as the user, it's sharing the same  
tty somehow. It seems to work regardless of where I authenticate.

> I understand the theoretical issue you present, but lets be honest,
> its not a vulnerability because to exploit this would require a
> serious amount of user interaction beforehand

Not beforehand, but at any time. Since widgets run in the background  
for the duration of the user's session, it can sit and wait for that  
user to authenticate for something. Whether it's before hand, or a  
week later, once they authenticate, the widget can easily hijack the  
authentication and do whatever it wants to do.

> The same can be said for Linux/Solaris, in fact any OS which uses
> sudo. Hell i think Gnomes GDesklets also could be exploited this was
> as well, and in the case of them you dont even need to be reminded
> that the content is bad as firefox just downloads them onto the
> machine anyway

I'm not sure about gdesklets. I guess it depends on whether it runs  
on the same tty - assuming that sudo's grace period is tied to the tty 
+username. Someone should probably test that. But gdesklets isn't  
built into Linux, and it can probably be set up to run as a different  
(nonprivileged) user all together if you tweak your X display  
permissions.  The problem with dashboard is that it's integrated into  
the dock, and sudo doesn't seem to see a difference between the  
dashboard and a terminal, or authentication window.

Yes, I realize this is somewhat controversial. I think we can agree  
on the following at least:
1. Dashboard widgets (and gdesklets) should never be allowed to gain  
administrative privileges
2. The default grace period configuration in OSX is somewhat insecure

My only other argument is that widgets are a much higher risk than  
apps with trojans
for the following reasons:

1. Widgets run in the background for the duration of the user's session
2. The dashboard is generally not visible to the user unless it is  
specifically activated
3. Users are likely to download and run many widgets simultaneously
4. Widgets, being mini-applications, cater to a much wider class of  
users

It is therefore more likely for users to download and install several  
widgets, some which may include hidden trojans.


Jonathan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050519/fcbaa090/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ