| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <FF646450-CC20-4A15-8996-5B18C1B86304@nuclearelephant.com> Date: Thu May 19 15:42:21 2005 From: jonathan at nuclearelephant.com (Jonathan Zdziarski) Subject: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability > But then isnt this an issue with Sudo's grace period (ie should it be > tied down to that terminal process calling it and not other ones?) I suspect that since the dash runs as the user, it's sharing the same tty somehow. It seems to work regardless of where I authenticate. > I understand the theoretical issue you present, but lets be honest, > its not a vulnerability because to exploit this would require a > serious amount of user interaction beforehand Not beforehand, but at any time. Since widgets run in the background for the duration of the user's session, it can sit and wait for that user to authenticate for something. Whether it's before hand, or a week later, once they authenticate, the widget can easily hijack the authentication and do whatever it wants to do. > The same can be said for Linux/Solaris, in fact any OS which uses > sudo. Hell i think Gnomes GDesklets also could be exploited this was > as well, and in the case of them you dont even need to be reminded > that the content is bad as firefox just downloads them onto the > machine anyway I'm not sure about gdesklets. I guess it depends on whether it runs on the same tty - assuming that sudo's grace period is tied to the tty +username. Someone should probably test that. But gdesklets isn't built into Linux, and it can probably be set up to run as a different (nonprivileged) user all together if you tweak your X display permissions. The problem with dashboard is that it's integrated into the dock, and sudo doesn't seem to see a difference between the dashboard and a terminal, or authentication window. Yes, I realize this is somewhat controversial. I think we can agree on the following at least: 1. Dashboard widgets (and gdesklets) should never be allowed to gain administrative privileges 2. The default grace period configuration in OSX is somewhat insecure My only other argument is that widgets are a much higher risk than apps with trojans for the following reasons: 1. Widgets run in the background for the duration of the user's session 2. The dashboard is generally not visible to the user unless it is specifically activated 3. Users are likely to download and run many widgets simultaneously 4. Widgets, being mini-applications, cater to a much wider class of users It is therefore more likely for users to download and install several widgets, some which may include hidden trojans. Jonathan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050519/fcbaa090/attachment.html
Powered by blists - more mailing lists