Full Disclosure mailing list archives
Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability
From: Daniel <deeper () gmail com>
Date: Thu, 19 May 2005 15:10:26 +0100
Ok lets look at this issue again:
Dashboard widgets can hijack these credentials by calling the system's built-in "sudo" command and execute arbitrary functions with full administrative privileges. Because the sudo command trusts users based on username and tty, the widget is never prompted for a sudo password, but immediately authenticated based on the user's previous manual authentication for whatever other task they were performing. Because Dashboard widgets can be modified to run in the background, they can also sit and wait for a user to authenticate, executing malicious commands when this occurs.
Ok im running 10.4.1, i have a piece of javascript which calls sudo, yet im asked for my password straight after the sudo call has been made, therefore it WILL not run automatically.In order for you to have this fully exploitable widget, you would need the user to 1st call sudo to perform and action and then have the widget piggyback onto that session, surely?
Combining this vulnerability with Safari's auto-install vulnerability, it may be possible for a widget to maliciously install itself by visiting a website, wait for the user to authenticate to perform a task, and take full control of a system.
with 10.4.1, once any widget has been downloaded, the user is presented with a box warning of the danger. If they do not do anything, the download DOES not take place and there is no code stored on the system. I'm all for people finding holes in operating systems and reporting them, but with a matter like this it seems that there is more theoretical exploitation than actual exploitation. Tell you what, write up a bad widget and send it to us and lets see if we can replicate it.. ps.. http://www.apple.com/support/security/ that e-mail address works, ive sent in a few issues myself regarding 10.3 and had no problems so far On 5/19/05, Jonathan Zdziarski <jonathan () nuclearelephant com> wrote:
Seems to me that you can report bugs from http://developer.apple.com/bugreporter/index.html Membership is required, but the free "online" membership is sufficient. Unfortunately, no. After logging in, I get this error when I try and file a bug report: You do not have access to this Application, Please get access and try again It appears that you have to pay to report bugs to Apple. Jonathan _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Jonathan Zdziarski (May 18)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Alain Fauconnet (May 18)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Jonathan Zdziarski (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Daniel (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Jonathan Zdziarski (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Daniel (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Jonathan Zdziarski (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Graham Reed (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Jonathan Zdziarski (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Alain Fauconnet (May 18)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability ZATAZ.net (May 18)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability ph0enix (May 18)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Daniel (May 19)
- Content detection in html payload with snort ? Frederic Charpentier (May 19)