Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability
From: Daniel <deeper () gmail com>
Date: Thu, 19 May 2005 15:10:26 +0100

Ok lets look at this issue again:

Dashboard widgets can hijack
these credentials by calling the system's built-in "sudo" command and
execute arbitrary functions with full administrative privileges.
Because the sudo command trusts users based on username and tty, the
widget is never prompted for a sudo password, but immediately
authenticated based on the user's previous manual authentication for
whatever other task they were performing. Because Dashboard widgets
can be modified to run in the background, they can also sit and wait
for a user to authenticate, executing malicious commands when this
occurs.

Ok im running 10.4.1, i have a piece of javascript which calls sudo,
yet im asked for my password straight after the sudo call has been
made, therefore it WILL not run automatically.In order for you to have
this fully exploitable widget, you would need the user to 1st call
sudo to perform and action and then have the widget piggyback onto
that session, surely?

Combining this vulnerability with Safari's auto-install
vulnerability, it may be possible for a widget to maliciously install
itself by visiting a website, wait for the user to authenticate to
perform a task, and take full control of a system.

with 10.4.1, once any widget has been downloaded, the user is
presented with a box warning of the danger. If they do not do
anything, the download DOES not take place and there is no code stored
on the system.

I'm all for people finding holes in operating systems and reporting
them, but with a matter like this it seems that there is more
theoretical exploitation than actual exploitation.

Tell you what, write up a bad widget and send it to us and lets see if
we can replicate it..

ps.. http://www.apple.com/support/security/

that e-mail address works, ive sent in a few issues myself regarding
10.3 and had no problems so far


On 5/19/05, Jonathan Zdziarski <jonathan () nuclearelephant com> wrote:

Seems to me that you can report bugs from
http://developer.apple.com/bugreporter/index.html
Membership is required, but the free "online" membership is
sufficient.

Unfortunately, no. After logging in, I get this error when I try and file a
bug report:

You do not have access to this Application, Please get access and try again

 
It appears that you have to pay to report bugs to Apple.

Jonathan 

 
_______________________________________________
Full-Disclosure - We believe in it.
Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault