lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <OF56C64102.0509B961-ON802572DE.004A5DC4-802572DE.00620A62@nisaba.com>
Date: Thu, 17 May 2007 18:50:51 +0100
From: graham.coles@...-logic-group.com
To: David Cantrell <d.cantrell@...cometechnologies.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Apple Safari on MacOSX may reveal user's saved passwords

David Cantrell <d.cantrell@...cometechnologies.com> wrote on 17/05/2007 
12:47:24:

> graham.coles@...-logic-group.com wrote:

> >> It works for:
> >> the same user using ssh as is on the console;
> > If someone can remotely log in as you over ssh then they already have 
your
> > password (or worse, certificate!), so why would they try to obtain it 
from
> > a browser?

> They can obtain other stuff that I type in the browser, such as
> passwords etc that I might use for online banking and which I don't
> store in Keychain.  Personally, I don't think that the Keychain bit is
> particularly important.

I'd say it's irrelevant. In this instance it's just being used to remember 
web passwords much like the 'remember this password' feature offered by a 
lot of browsers which weakly encrypt them in a file on the hard disk. 
Personally, I never use this feature in any browser, but the concept is 
the same. 

If you are sitting at the machine of a person who has left it logged in 
and they use this feature, then whatever web browser you are using will 
believe you are that person and provide access to the website 
automatically--you don't need to see the password to use it. This is not a 
vulnerability, it is a feature of convenience over security, which is why 
I never use it on anything. The only way to 'patch' this is to remove the 
feature.

It is also why I don't leave my machine logged in and accessible to other 
users, which appears to be the whole basis of this 'vulnerability'. This 
is user-error, not something that can easily be fixed by a software 
update.



> > They already have total access to all your files, there would appear 
to be
> > nothing more to gain from this.

> Perhaps you do (in which case I recommend you stop), but I don't store
> all my information in files, and of that which I do, not all those files
> are merely protected by my standard login and password.  Some, such as
> how I authenticate to my bank, are stored in a gpg-encrypted file in
> case I ever forget.  Others, such as my gpg passphrase, live only in my
> head.  Trust me, merely logging in as me won't help anyone get at those
> data.

Maybe not, but logging in as *root* will. Your passphrase does not live 
only in your head, from time to time you have to type it in for it to be 
of use. If your machine is rooted, they own your keyboard driver and can 
see you type it! They also have access to your gpg file, and probably 
already have a copy of it, along with everything else of interest.

Personally, I use encrypted volumes / files for anything private and I 
*never* store the passwords in the keychain. I also don't allow root 
access!

The whole concept of the keychain, however, is to restrict access to its 
contents to the owner. If you can happily log in as the owner, then you 
have everything they can access, INCLUDING the keychain. If they can't do 
this, you just have some encrypted data. You don't HAVE to store web 
passwords, of course.

> >>  the root user using ssh (or someone who can sudo) can inject
> >>  Javascript into the console user's browser;
> > Are you even considering what you are saying?

> Yes.  Are you?

I am. I am also trying hard to see where the threat could emerge. 

With IE on Windows, users suffering vulnerabilities tend to just find two 
dozen bits of spyware installed weeks after visiting a website with no 
idea of how they got there.

By comparison, this method would seemingly require you to literally hand 
over your machine to someone else or for them to have authenticated remote 
access as you or root.

Sounds more like the cure is just to either disable root (and/or remote) 
login, protect your (strong) passwords/certificates and lock your machine 
when you leave it.

I'd like to know what Apple were supposed to do to fix this?

It is, after all, YOUR keychain with YOUR passwords that YOU want 
applications to recover when YOU are logged in. Why shouldn't YOU be able 
to access it. If you don't want to use it don't, but if someone has to be 
logged in as you to read it, that sounds about right. 

> > Someone has *ROOT* access to your system REMOTELY over ssh and you're
> > worried that they might be able to retrieve a password from your 
keychain.

> Yes, it would be annoying if someone rooted my laptop.  It would be a
> lot more annoying if they not only rooted my laptop but also cleaned out
> my bank account via my browser.

'Annoying' is the understatement of the millennium. 

As far as root access goes, see my comments above regarding key loggers?

With root access they will have your gpg file, they will know what 
processes are running (they will know when you run gpg) and they can 
capture your keystrokes. Is this then a vulnerability of gpg? So much for 
keeping your online banking safe. Even if you memorize the passwords, they 
can still see your keypresses and thereofre empty your bank account.

If someone roots your machine, security is non-existant and trust beyond 
repair. Don't trivialize this by comparing it to a 'might be able to see 
your web passwords' issue, this is disaster incarnate and game over all 
rolled into one! 


> It *is* somewhat disturbing that root can so trivially interfere with
> the guts of someone else's processes.  Normally, root has to do a lot of
> work to do that.

With great power comes great responsibility, which is precisely why Macs 
have the root login disabled and require a user designated as 
'Administrator' to authenticate themself whenever system files are 
modified or installed. Other users are created as non-administrator and 
remote login is blocked by the firewall. The chances of anyone actually 
logging in remotely as root on a normal Mac are zero as you, while 
administrator, would have to specifically enable all of this. This is why 
Apple warn you not to do it.

> >>  a different non-root user on the console can do it too
> > Which again restricts this vunerability (as previously mentioned) to 
an
> > attacker who happens to be sitting in front of your machine(!)

> Did you read the bit where I speculated about setuid applications?

Yes, but again if you can get this far you either have the person's 
identity or root access (bad or hopeless situation respectively). Why 
worry incessantly about things that you stored in the keychain being 
accessed when someone can access everything you own. 

Should the keychain refuse to divulge its contents to a person 
authenticated as the owner?

Is the answer to remove the keychain and watch as people revert to storing 
their passwords unencrypted in stickies, or text files on their desktop? 

You normally have to come up with a feasible attack vector for something 
to be a vulnerability, this seems far too early to be notifying the 
vendor.

Saving passwords on any web browser is a lousy idea from a security 
perspective. However, people don't like security, they like convenience. 
The only real fix here is perhaps a disclaimer message advising people not 
to store important passwords for websites in the browser in the first 
place. But lets face reality, even if the did would it stop people doing 
it?

> --
> David Cantrell

--
Graham Coles



The Logic Group Enterprises Limited
Logic House, Waterfront Business Park, Fleet Road, Fleet, Hampshire, GU51 3SB, UK
Registered in England. Registered No. 2609323

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ