lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <OFC27AFD33.A7780ED4-ON802572DD.005EDBE9-802572DD.00615066@nisaba.com>
Date: Wed, 16 May 2007 18:42:54 +0100
From: graham.coles@...-logic-group.com
To: bugtraq@...urityfocus.com
Subject: Re: Apple Safari on MacOSX may reveal user's saved passwords

I too appear to be having difficulty relating this to a vulnerability.

>  It works for:
>  the same user using ssh as is on the console;

If someone can remotely log in as you over ssh then they already have your 
password (or worse, certificate!), so why would they try to obtain it from 
a browser?

They already have total access to all your files, there would appear to be 
nothing more to gain from this.

>  the root user using ssh (or someone who can sudo) can inject
>  Javascript into the console user's browser;

Are you even considering what you are saying?

Someone has *ROOT* access to your system REMOTELY over ssh and you're 
worried that they might be able to retrieve a password from your keychain. 
By this stage, your entire system and every file in it is pretty much 
owned. It's time to consider a full reinstall with some new, stronger 
authentication.

>  a different non-root user on the console can do it too

Which again restricts this vunerability (as previously mentioned) to an 
attacker who happens to be sitting in front of your machine(!)


It would be more interesting if there were a proper remote expoit (e.g. 
website), but if the remote part means having to be connected to and 
logged in as an individual on the computer, then it's not really a browser 
exploit as all the damage has been done--they will already have full 
access to your keychain and can examine it at as they please, along with 
all your files.


--

Graham Coles




David Cantrell <d.cantrell@...cometechnologies.com> 
15/05/2007 23:15

To
bugtraq@...urityfocus.com
cc

Subject
Re: Apple Safari on MacOSX may reveal user's saved passwords





Injecting Javascript into a browser like this does *not* require that
the attacker be on the local console.  To run Applescript while logged
inremotely using ssh, you can use the 'osascript' utility.

It works for:
the same user using ssh as is on the console;
the root user using ssh (or someone who can sudo) can inject
Javascript into the console user's browser;
a different non-root user on the console can do it too

That last one is particularly worrying, although I've not taken the time
to figure out precisely what works and what doesn't.  My test was to
simply open a Terminal and 'su - foo' before using osascript, but it
might, for instance, be exploitable by a setuid application.

At first glance, Firefox doesn't seem to be vulnerable (although I'm far
from being an Applescript expert) to exactly this attack, but it does
expose at least *some* functionality to Applescript.

--

David Cantrell


The Logic Group Enterprises Limited
Logic House, Waterfront Business Park, Fleet Road, Fleet, Hampshire, GU51 3SB, UK
Registered in England. Registered No. 2609323

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ