Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability
From: Jonathan Zdziarski <jonathan () nuclearelephant com>
Date: Thu, 19 May 2005 10:38:41 -0400

But then isnt this an issue with Sudo's grace period (ie should it be
tied down to that terminal process calling it and not other ones?)

I suspect that since the dash runs as the user, it's sharing the same tty somehow. It seems to work regardless of where I authenticate.

I understand the theoretical issue you present, but lets be honest,
its not a vulnerability because to exploit this would require a
serious amount of user interaction beforehand

Not beforehand, but at any time. Since widgets run in the background for the duration of the user's session, it can sit and wait for that user to authenticate for something. Whether it's before hand, or a week later, once they authenticate, the widget can easily hijack the authentication and do whatever it wants to do.

The same can be said for Linux/Solaris, in fact any OS which uses
sudo. Hell i think Gnomes GDesklets also could be exploited this was
as well, and in the case of them you dont even need to be reminded
that the content is bad as firefox just downloads them onto the
machine anyway

I'm not sure about gdesklets. I guess it depends on whether it runs on the same tty - assuming that sudo's grace period is tied to the tty +username. Someone should probably test that. But gdesklets isn't built into Linux, and it can probably be set up to run as a different (nonprivileged) user all together if you tweak your X display permissions. The problem with dashboard is that it's integrated into the dock, and sudo doesn't seem to see a difference between the dashboard and a terminal, or authentication window.

Yes, I realize this is somewhat controversial. I think we can agree on the following at least: 1. Dashboard widgets (and gdesklets) should never be allowed to gain administrative privileges
2. The default grace period configuration in OSX is somewhat insecure

My only other argument is that widgets are a much higher risk than apps with trojans
for the following reasons:

1. Widgets run in the background for the duration of the user's session
2. The dashboard is generally not visible to the user unless it is specifically activated
3. Users are likely to download and run many widgets simultaneously
4. Widgets, being mini-applications, cater to a much wider class of users

It is therefore more likely for users to download and install several widgets, some which may include hidden trojans.


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]