Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability
From: Jonathan Zdziarski <jonathan () nuclearelephant com>
Date: Thu, 19 May 2005 00:23:46 -0400

I looked around and didn't see any invitation from Apple to report vulnerabilities, so for now I guess I'll post here and leave it to someone with a paid developer's account to tell them.


Date: May 19, 2005
Description: OSX 10.4 Dashboard Permits Hijacking of Authenticated Credentials

Versions Affected:
OSX 10.4.0
OSX 10.4.1

About Dashboard:
Mac OSX 10.4 includes a feature called Dashboard, which provides an environment for mini-applications, called Widgets, to run. Widgets are commonly freely available for download from a number of trusted and untrusted sources. Users running Apple's native browser, Safari, may have downloaded and installed widgets to their dashboard without even knowing it due to a related security flaw in the Safari browser.

About the Vulnerability:
Dashboard widgets allow system commands to be executed, which is normally not considered a vulnerability in itself as they run with the user's permissions. If the user has recently authenticated to perform a super-user function, however, Dashboard widgets can hijack these credentials by calling the system's built-in "sudo" command and execute arbitrary functions with full administrative privileges. Because the sudo command trusts users based on username and tty, the widget is never prompted for a sudo password, but immediately authenticated based on the user's previous manual authentication for whatever other task they were performing. Because Dashboard widgets can be modified to run in the background, they can also sit and wait for a user to authenticate, executing malicious commands when this occurs.

Combining this vulnerability with Safari's auto-install vulnerability, it may be possible for a widget to maliciously install itself by visiting a website, wait for the user to authenticate to perform a task, and take full control of a system.

There is presently no workaround available other than to carefully examine new widgets and their source code prior to installation, or to avoid using the Dashboard entirely. Examining code isn't a guarantee, however, as some widgets may contain code in binary form. To prevent the auto-installation of widgets (and the potential malicious applications of this function), disable the "Open Safe Files" checkbox in Safari's General preferences.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]