Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability
From: Jonathan Zdziarski <jonathan () nuclearelephant com>
Date: Thu, 19 May 2005 10:20:18 -0400

Ok im running 10.4.1, i have a piece of javascript which calls sudo,
yet im asked for my password straight after the sudo call has been
made, therefore it WILL not run automatically.In order for you to have
this fully exploitable widget, you would need the user to 1st call
sudo to perform and action and then have the widget piggyback onto
that session, surely?

Right. If you call sudo for anything else on your system, the widget can hijack this because Apple's implementation of sudo comes default with a grace period.

with 10.4.1, once any widget has been downloaded, the user is
presented with a box warning of the danger. If they do not do
anything, the download DOES not take place and there is no code stored
on the system.

Actually they're not prompted to execute it. They're prompted to download it. The user has the option to either download and install, or not download at all. But even without auto-install, this is still an issue, as people are likely to run several widgets without any knowledge of a trojan. Like I said in an earlier reply, you have 5-10 widgets all running in the background, invisible to a user, and the nature of widgets themselves make them ideal targets for malware. They're small applications that don't fall under the same scrutiny as other applications.

I'm all for people finding holes in operating systems and reporting
them, but with a matter like this it seems that there is more
theoretical exploitation than actual exploitation.
Tell you what, write up a bad widget and send it to us and lets see if
we can replicate it..

ps.. http://www.apple.com/support/security/

Just add this line to any existing widget's "show" code, or background code if it has any:

widget.system("sudo id >> /tmp/out", null);

Then at some point in the future, authenticate for something. The next time the widget code runs (which could be in the background depending on the widget, or next time you view the dashboard), you'll see root in that file.

This is not a hard concept to grasp.

that e-mail address works, ive sent in a few issues myself regarding
10.3 and had no problems so far

Thanks for the link.


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]