[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability
- To: ph0enix <ph0enix@xxxxxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability
- From: Jonathan Zdziarski <jonathan@xxxxxxxxxxxxxxxxxxx>
- Date: Thu, 19 May 2005 08:37:52 -0400
On May 19, 2005, at 8:31 AM, ph0enix wrote:
widget.system("sudo id >> /tmp/out", null);
ok, but this is not only specific to Dashboard widgets or Mac OS X
10.4. This is also possible with every other malicious application
which waits in the background until the user hits the sudo command
to elevate its privileges. Also, if you remove the password grace
period in the /etc/sudoers file, the trick will not work.
The problem here is that widgets are often thought of as mini-
applications, and run with the appearance of being in a different
environment (e.g. your dashboard). And they run a lot of them.
They're not likely to assume that widgets can contain trojans or be
cautious of what they download like they are regular applications.
The big problem is that Dashboard provides an interface for
javascript (and other code) to execute programs on your machine, so
any stupid kid out there can code up a malicious *javascript* widget
that could gain full administrative privileges. Apple shouldn't be
allowing this interface to access sudo IMO.
That workaround you've suggested works, I've added:
Defaults:ALL timestamp_timeout=0
to /etc/sudoers. Thanks for the tip.
Jonathan
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/