Widget Authentication Hijacking Vulnerability

[jzdziarski]

I looked around and didn't see any invitation from Apple to report vulnerabilities, so for now I guess I'll post here and leave it to someone with a paid developer's account to tell them.

Date: May 19, 2005
Description: OSX 10.4 Dashboard Permits Hijacking of Authenticated Credentials

Versions Affected:
OSX 10.4.0
OSX 10.4.1

About Dashboard:
Mac OSX 10.4 includes a feature called Dashboard, which provides an environment for mini-applications, called Widgets, to run. Widgets are commonly freely available for download from a number of trusted and untrusted sources. Users running Apple's native browser, Safari, may have downloaded and installed widgets to their dashboard without even knowing it due to another security flaw.

About the Vulnerability:
Dashboard widgets allow system commands to be executed, which is normally not considered a vulnerability as they run with the user's permissions. If the user has recently authenticated to perform a super-user function, however, Dashboard widgets can hijack these credentials by calling the system's built-in "sudo" command and execute arbitrary functions with full administrative privileges. Because the sudo command trusts users based on username and tty, the widget is never prompted for a sudo password, but immediately authenticated based on the user's previous manual authentication for whatever other task they were performing. Because Dashboard widgets can be modified to run in the background, they can also sit and wait for a user to authenticate, executing malicious commands when this occurs.

Workarounds:
There is presently no workaround available other than to carefully examine new widgets and their source code prior to installation, or to avoid using the Dashboard entirely. Examining code isn't a guarantee, however, as some widgets may contain code in binary form. To prevent the auto-installation of widgets (and the potential malicious applications of this function), disable the "Open Safe Files" checkbox in Safari's General preferences.

[Satcomer]

Already covered here and a simple fix suggested by me.

[fryke]

If you carefully read the first post, this is different, satcomer. This is not about the automatic installing of widgets, rather it's about the user authenticating as administrator somewhere else in the system, and if that authentication is still active (hasn't timed out), and you invoke dashboard, a malicious widget could run commands on the shell as superuser.
In the really worst case, this could mean that an otherwise "good" widget (i.e. one you want to run), checks for sudo-ability in the background whenever dashboard is active, and only if it _can_ run commands as superuser, it might alter/remove/run files that only root/su should be able to run. this _is_ an issue still not solved.

[Tetano]

Quote:

Originally Posted by jzdziarski

If the user has recently authenticated to perform a super-user function, however, Dashboard widgets can hijack these credentials by calling the system's built-in "sudo" command and execute arbitrary functions with full administrative privileges. Because the sudo command trusts users based on username and tty, the widget is never prompted for a sudo password, but immediately authenticated based on the user's previous manual authentication for whatever other task they were performing.

but does this phrase mean that in order to allow this vulnerability to be exploited I should have authenticated as root, or just as administrator?

[jzdziarski]

It appears that if you authenticate anywhere on the system using sudo, the Widget can take advantage of it. This, of course, opens the door for worms, hackers, drones, spyware, and anything else you can think of - whether the widget was auto-installed or not.

Don't feel bad Satcomer, you're not the only one who didn't read the advisory completely - I'm getting bombarded with email from people telling me this has been known about for several days. Makes me wonder if anybody reads anything these days.

[jzdziarski]

Here's a workaround suggested by someone on the full disclosure list. Remove the sudo grace period by adding:

Defaults:ALL timestamp_timeout=0

To /etc/sudoers. Why this was not made the default I don't know.

[lurk]

Quote:

Originally Posted by jzdziarski

I looked around and didn't see any invitation from Apple to report vulnerabilities, so for now I guess I'll post here and leave it to someone with a paid developer's account to tell them.

Just a point of information. You can submit bugs with the FREE online developer membership, you do not have to pay anything.

mumble... mumble... lies... mumble... damn lies... mumble... and internet FUD...

[jzdziarski]

yeah I tried that. After logging into the ADC, I tried to use the bug reporting tool. I was told I didn't have permission to access that application.

Someone gave me this url,however...

http://www.apple.com/support/security/