Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability

[Daniel <deeper () gmail com>]

Ok lets look at this issue again:

> > Dashboard widgets can hijack
> > these credentials by calling the system's built-in "sudo" command and
> > execute arbitrary functions with full administrative privileges.
> > Because the sudo command trusts users based on username and tty, the
> > widget is never prompted for a sudo password, but immediately
> > authenticated based on the user's previous manual authentication for
> > whatever other task they were performing. Because Dashboard widgets
> > can be modified to run in the background, they can also sit and wait
> > for a user to authenticate, executing malicious commands when this
> > occurs.

Ok im running 10.4.1, i have a piece of javascript which calls sudo,
yet im asked for my password straight after the sudo call has been
made, therefore it WILL not run automatically.In order for you to have
this fully exploitable widget, you would need the user to 1st call
sudo to perform and action and then have the widget piggyback onto
that session, surely?

> > Combining this vulnerability with Safari's auto-install
> > vulnerability, it may be possible for a widget to maliciously install
> > itself by visiting a website, wait for the user to authenticate to
> > perform a task, and take full control of a system.

with 10.4.1, once any widget has been downloaded, the user is
presented with a box warning of the danger. If they do not do
anything, the download DOES not take place and there is no code stored
on the system.

I'm all for people finding holes in operating systems and reporting
them, but with a matter like this it seems that there is more
theoretical exploitation than actual exploitation.

Tell you what, write up a bad widget and send it to us and lets see if
we can replicate it..

ps.. http://www.apple.com/support/security/

that e-mail address works, ive sent in a few issues myself regarding
10.3 and had no problems so far


On 5/19/05, Jonathan Zdziarski <jonathan () nuclearelephant com> wrote:
> Seems to me that you can report bugs from
> http://developer.apple.com/bugreporter/index.html
> Membership is required, but the free "online" membership is
> sufficient.
>
> Unfortunately, no. After logging in, I get this error when I try and file a
> bug report:
>
> You do not have access to this Application, Please get access and try again
>
>  
> It appears that you have to pay to report bugs to Apple.
>
> Jonathan 
>
>  
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/