lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2B48F67B-0E83-4853-819F-534D398F27D8@nuclearelephant.com>
Date: Thu May 19 14:50:06 2005
From: jonathan at nuclearelephant.com (Jonathan Zdziarski)
Subject: Mac OSX 10.4 Dashboard Authentication Hijacking
	Vulnerability


On May 19, 2005, at 8:31 AM, ph0enix wrote:

>> widget.system("sudo id >> /tmp/out", null);
>
> ok, but this is not only specific to Dashboard widgets or Mac OS X  
> 10.4. This is also possible with every other malicious application  
> which waits in the background until the user hits the sudo command  
> to elevate its privileges. Also, if you remove the password grace  
> period in the /etc/sudoers file, the trick will not work.

The problem here is that widgets are often thought of as mini- 
applications, and run with the appearance of being in a different  
environment (e.g. your dashboard). And they run a lot of them.  
They're not likely to assume that widgets can contain trojans or be  
cautious of what they download like they are regular applications.  
The big problem is that Dashboard provides an interface for  
javascript (and other code) to execute programs on your machine, so  
any stupid kid out there can code up a malicious *javascript* widget  
that could gain full administrative privileges. Apple shouldn't be  
allowing this interface to access sudo IMO.

That workaround you've suggested works, I've added:

Defaults:ALL timestamp_timeout=0

to /etc/sudoers. Thanks for the tip.

Jonathan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050519/4f1d2fb2/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ