lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20071203230457.GK12626@iCoaster.does-not-exist.org>
Date: Tue, 4 Dec 2007 00:04:57 +0100
From: Thomas Roessler <tlr@...org>
To: bugtraq@...urityfocus.com
Cc: brett@...froot.co.nz, mail@...-ward.co.uk
Subject: [MacOS X] Insecure eval() in Twitgit and Twitterlex dashboard
	widgets

Twitgit [1] and Twitterlex [2] are two MacOS X Dashboard widgets
(developed in JavaScript) that can be used to display twitter.com
updates.

Both regularly retrieve data using the Twitter JSON API and parse
whatever is returned with eval().  Both relax the dashboard's
JavaScript sandbox to enable the widget.system() call, which indeed
amounts to the equivalent of system(3); i.e., if an attacker can
take over the widget, the attacker can take over the user's account
(and, quite often, the system).

The data are retrieved through plain HTTP. Therefore, these widgets
are vulnerable to at least:

- cross-site-scripting attacks through Twitter
- subversion of Twitter and, in the case of Twitterlex, also
  subversion of a server used for update notifications
- man-in-the-middle attacks against local networks

(Also, deliberately malicious behavior by either Twitter or the
author of at least Twitterlex is a risk from a security perspective;
if one was to assume malice, then Twitterlex could be classified as
a nifty backdoor.)

What makes this case particularly interesting is that this is a case
in which -- along with the development platform, JavaScrit -- the
borders between Web and local vulnerabilities get increasingly blurry.

It would probably be an interesting exercise to go through some more
dashboard widgets and grep for eval. I'd bet quite a bit that
there's much more out there.

1. http://inner.geek.nz/projects/twitterlex/
2. http://ben-ward.co.uk/widgets/twitgit/

Regards,
-- 
Thomas Roessler, W3C  <tlr@...org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ