lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <FF7C7ADD-3AB3-4CFD-BC13-554AED43A046@nuclearelephant.com>
Date: Thu May 19 05:24:29 2005
From: jonathan at nuclearelephant.com (Jonathan Zdziarski)
Subject: Mac OSX 10.4 Dashboard Authentication Hijacking
	Vulnerability

I looked around and didn't see any invitation from Apple to report  
vulnerabilities, so for now I guess I'll post here and leave it to  
someone with a paid developer's account to tell them.

Jonathan

Date: May 19, 2005
Description: OSX 10.4 Dashboard Permits Hijacking of Authenticated  
Credentials

Versions Affected:
OSX 10.4.0
OSX 10.4.1

About Dashboard:
Mac OSX 10.4 includes a feature called Dashboard, which provides an  
environment for mini-applications, called Widgets, to run. Widgets  
are commonly freely available for download from a number of trusted  
and untrusted sources. Users running Apple's native browser, Safari,  
may have downloaded and installed widgets to their dashboard without  
even knowing it due to a related security flaw in the Safari browser.

About the Vulnerability:
Dashboard widgets allow system commands to be executed, which is  
normally not considered a vulnerability in itself as they run with  
the user's permissions. If the user has recently authenticated to  
perform a super-user function, however, Dashboard widgets can hijack  
these credentials by calling the system's built-in "sudo" command and  
execute arbitrary functions with full administrative privileges.  
Because the sudo command trusts users based on username and tty, the  
widget is never prompted for a sudo password, but immediately  
authenticated based on the user's previous manual authentication for  
whatever other task they were performing. Because Dashboard widgets  
can be modified to run in the background, they can also sit and wait  
for a user to authenticate, executing malicious commands when this  
occurs.

Combining this vulnerability with Safari's auto-install  
vulnerability, it may be possible for a widget to maliciously install  
itself by visiting a website, wait for the user to authenticate to  
perform a task, and take full control of a system.

Workarounds:
There is presently no workaround available other than to carefully  
examine new widgets and their source code prior to installation, or  
to avoid using the Dashboard entirely. Examining code isn't a  
guarantee, however, as some widgets may contain code in binary form.  
To prevent the auto-installation of widgets (and the potential  
malicious applications of this function), disable the "Open Safe  
Files" checkbox in Safari's General preferences.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ