mailing list archives
Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability
From: Jonathan Zdziarski <jonathan () nuclearelephant com>
Date: Thu, 19 May 2005 00:23:46 -0400
I looked around and didn't see any invitation from Apple to report
vulnerabilities, so for now I guess I'll post here and leave it to
someone with a paid developer's account to tell them.
Date: May 19, 2005
Description: OSX 10.4 Dashboard Permits Hijacking of Authenticated
Mac OSX 10.4 includes a feature called Dashboard, which provides an
environment for mini-applications, called Widgets, to run. Widgets
are commonly freely available for download from a number of trusted
and untrusted sources. Users running Apple's native browser, Safari,
may have downloaded and installed widgets to their dashboard without
even knowing it due to a related security flaw in the Safari browser.
About the Vulnerability:
Dashboard widgets allow system commands to be executed, which is
normally not considered a vulnerability in itself as they run with
the user's permissions. If the user has recently authenticated to
perform a super-user function, however, Dashboard widgets can hijack
these credentials by calling the system's built-in "sudo" command and
execute arbitrary functions with full administrative privileges.
Because the sudo command trusts users based on username and tty, the
widget is never prompted for a sudo password, but immediately
authenticated based on the user's previous manual authentication for
whatever other task they were performing. Because Dashboard widgets
can be modified to run in the background, they can also sit and wait
for a user to authenticate, executing malicious commands when this
Combining this vulnerability with Safari's auto-install
vulnerability, it may be possible for a widget to maliciously install
itself by visiting a website, wait for the user to authenticate to
perform a task, and take full control of a system.
There is presently no workaround available other than to carefully
examine new widgets and their source code prior to installation, or
to avoid using the Dashboard entirely. Examining code isn't a
guarantee, however, as some widgets may contain code in binary form.
To prevent the auto-installation of widgets (and the potential
malicious applications of this function), disable the "Open Safe
Files" checkbox in Safari's General preferences.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability ph0enix (May 19)
- Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability Jonathan Zdziarski (May 19)