Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability
From: Daniel <deeper () gmail com>
Date: Thu, 19 May 2005 15:25:44 +0100

But then isnt this an issue with Sudo's grace period (ie should it be
tied down to that terminal process calling it and not other ones?)

I understand the theoretical issue you present, but lets be honest,
its not a vulnerability because to exploit this would require a
serious amount of user interaction beforehand

The same can be said for Linux/Solaris, in fact any OS which uses
sudo. Hell i think Gnomes GDesklets also could be exploited this was
as well, and in the case of them you dont even need to be reminded
that the content is bad as firefox just downloads them onto the
machine anyway

On 5/19/05, Jonathan Zdziarski <jonathan () nuclearelephant com> wrote:

Ok im running 10.4.1, i have a piece of javascript which calls sudo,
yet im asked for my password straight after the sudo call has been
made, therefore it WILL not run automatically.In order for you to have
this fully exploitable widget, you would need the user to 1st call
sudo to perform and action and then have the widget piggyback onto
that session, surely?

Right. If you call sudo for anything else on your system, the widget can
hijack this because Apple's implementation of sudo comes default with a
grace period.

with 10.4.1, once any widget has been downloaded, the user is
presented with a box warning of the danger. If they do not do
anything, the download DOES not take place and there is no code stored
on the system.

Actually they're not prompted to execute it. They're prompted to download
it. The user has the option to either download and install, or not download
at all. But even without auto-install, this is still an issue, as people are
likely to run several widgets without any knowledge of a trojan. Like I said
in an earlier reply, you have 5-10 widgets all running in the background,
invisible to a user, and the nature of widgets themselves make them ideal
targets for malware. They're small applications that don't fall under the
same scrutiny as other applications.

I'm all for people finding holes in operating systems and reporting
them, but with a matter like this it seems that there is more
theoretical exploitation than actual exploitation.
Tell you what, write up a bad widget and send it to us and lets see if
we can replicate it..

ps.. http://www.apple.com/support/security/

Just add this line to any existing widget's "show" code, or background code
if it has any:

widget.system("sudo id >> /tmp/out", null);

Then at some point in the future, authenticate for something. The next time
the widget code runs (which could be in the background depending on the
widget, or next time you view the dashboard), you'll see root in that file.

This is not a hard concept to grasp.

that e-mail address works, ive sent in a few issues myself regarding
10.3 and had no problems so far

Thanks for the link.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]