Full Disclosure mailing list archives
Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability
From: Jonathan Zdziarski <jonathan () nuclearelephant com>
Date: Thu, 19 May 2005 10:38:41 -0400
But then isnt this an issue with Sudo's grace period (ie should it be tied down to that terminal process calling it and not other ones?)
I suspect that since the dash runs as the user, it's sharing the same tty somehow. It seems to work regardless of where I authenticate.
I understand the theoretical issue you present, but lets be honest, its not a vulnerability because to exploit this would require a serious amount of user interaction beforehand
Not beforehand, but at any time. Since widgets run in the background for the duration of the user's session, it can sit and wait for that user to authenticate for something. Whether it's before hand, or a week later, once they authenticate, the widget can easily hijack the authentication and do whatever it wants to do.
The same can be said for Linux/Solaris, in fact any OS which uses sudo. Hell i think Gnomes GDesklets also could be exploited this was as well, and in the case of them you dont even need to be reminded that the content is bad as firefox just downloads them onto the machine anyway
I'm not sure about gdesklets. I guess it depends on whether it runs on the same tty - assuming that sudo's grace period is tied to the tty +username. Someone should probably test that. But gdesklets isn't built into Linux, and it can probably be set up to run as a different (nonprivileged) user all together if you tweak your X display permissions. The problem with dashboard is that it's integrated into the dock, and sudo doesn't seem to see a difference between the dashboard and a terminal, or authentication window.
Yes, I realize this is somewhat controversial. I think we can agree on the following at least: 1. Dashboard widgets (and gdesklets) should never be allowed to gain administrative privileges
2. The default grace period configuration in OSX is somewhat insecureMy only other argument is that widgets are a much higher risk than apps with trojans
for the following reasons: 1. Widgets run in the background for the duration of the user's session2. The dashboard is generally not visible to the user unless it is specifically activated
3. Users are likely to download and run many widgets simultaneously4. Widgets, being mini-applications, cater to a much wider class of users
It is therefore more likely for users to download and install several widgets, some which may include hidden trojans.
Jonathan
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Jonathan Zdziarski (May 18)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Alain Fauconnet (May 18)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Jonathan Zdziarski (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Daniel (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Jonathan Zdziarski (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Daniel (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Jonathan Zdziarski (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Graham Reed (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Jonathan Zdziarski (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Alain Fauconnet (May 18)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability ZATAZ.net (May 18)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability ph0enix (May 18)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Daniel (May 19)
- Content detection in html payload with snort ? Frederic Charpentier (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability ph0enix (May 19)
- Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Jonathan Zdziarski (May 19)