Re: Apple Safari on MacOSX may reveal user's saved passwords

[graham.coles () the-logic-group com]

I too appear to be having difficulty relating this to a vulnerability.

>  It works for:
>  the same user using ssh as is on the console;

If someone can remotely log in as you over ssh then they already have your 
password (or worse, certificate!), so why would they try to obtain it from 
a browser?

They already have total access to all your files, there would appear to be 
nothing more to gain from this.

>  the root user using ssh (or someone who can sudo) can inject
>  Javascript into the console user's browser;

Are you even considering what you are saying?

Someone has *ROOT* access to your system REMOTELY over ssh and you're 
worried that they might be able to retrieve a password from your keychain. 
By this stage, your entire system and every file in it is pretty much 
owned. It's time to consider a full reinstall with some new, stronger 
authentication.

>  a different non-root user on the console can do it too

Which again restricts this vunerability (as previously mentioned) to an 
attacker who happens to be sitting in front of your machine(!)


It would be more interesting if there were a proper remote expoit (e.g. 
website), but if the remote part means having to be connected to and 
logged in as an individual on the computer, then it's not really a browser 
exploit as all the damage has been done--they will already have full 
access to your keychain and can examine it at as they please, along with 
all your files.


--

Graham Coles




David Cantrell <d.cantrell () outcometechnologies com> 
15/05/2007 23:15

To
bugtraq () securityfocus com
cc

Subject
Re: Apple Safari on MacOSX may reveal user's saved passwords





Injecting Javascript into a browser like this does *not* require that
the attacker be on the local console.  To run Applescript while logged
inremotely using ssh, you can use the 'osascript' utility.

It works for:
the same user using ssh as is on the console;
the root user using ssh (or someone who can sudo) can inject
Javascript into the console user's browser;
a different non-root user on the console can do it too

That last one is particularly worrying, although I've not taken the time
to figure out precisely what works and what doesn't.  My test was to
simply open a Terminal and 'su - foo' before using osascript, but it
might, for instance, be exploitable by a setuid application.

At first glance, Firefox doesn't seem to be vulnerable (although I'm far
from being an Applescript expert) to exactly this attack, but it does
expose at least *some* functionality to Applescript.

--

David Cantrell


The Logic Group Enterprises Limited
Logic House, Waterfront Business Park, Fleet Road, Fleet, Hampshire, GU51 3SB, UK
Registered in England. Registered No. 2609323