[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <FF7C7ADD-3AB3-4CFD-BC13-554AED43A046@nuclearelephant.com>
Date: Thu May 19 05:24:29 2005
From: jonathan at nuclearelephant.com (Jonathan Zdziarski)
Subject: Mac OSX 10.4 Dashboard Authentication Hijacking
Vulnerability
I looked around and didn't see any invitation from Apple to report
vulnerabilities, so for now I guess I'll post here and leave it to
someone with a paid developer's account to tell them.
Jonathan
Date: May 19, 2005
Description: OSX 10.4 Dashboard Permits Hijacking of Authenticated
Credentials
Versions Affected:
OSX 10.4.0
OSX 10.4.1
About Dashboard:
Mac OSX 10.4 includes a feature called Dashboard, which provides an
environment for mini-applications, called Widgets, to run. Widgets
are commonly freely available for download from a number of trusted
and untrusted sources. Users running Apple's native browser, Safari,
may have downloaded and installed widgets to their dashboard without
even knowing it due to a related security flaw in the Safari browser.
About the Vulnerability:
Dashboard widgets allow system commands to be executed, which is
normally not considered a vulnerability in itself as they run with
the user's permissions. If the user has recently authenticated to
perform a super-user function, however, Dashboard widgets can hijack
these credentials by calling the system's built-in "sudo" command and
execute arbitrary functions with full administrative privileges.
Because the sudo command trusts users based on username and tty, the
widget is never prompted for a sudo password, but immediately
authenticated based on the user's previous manual authentication for
whatever other task they were performing. Because Dashboard widgets
can be modified to run in the background, they can also sit and wait
for a user to authenticate, executing malicious commands when this
occurs.
Combining this vulnerability with Safari's auto-install
vulnerability, it may be possible for a widget to maliciously install
itself by visiting a website, wait for the user to authenticate to
perform a task, and take full control of a system.
Workarounds:
There is presently no workaround available other than to carefully
examine new widgets and their source code prior to installation, or
to avoid using the Dashboard entirely. Examining code isn't a
guarantee, however, as some widgets may contain code in binary form.
To prevent the auto-installation of widgets (and the potential
malicious applications of this function), disable the "Open Safe
Files" checkbox in Safari's General preferences.
Powered by blists - more mailing lists