Widget Authentication Hijacking Vulnerability

J

jzdziarski

Registered
I looked around and didn't see any invitation from Apple to report vulnerabilities, so for now I guess I'll post here and leave it to someone with a paid developer's account to tell them.

Date: May 19, 2005
Description: OSX 10.4 Dashboard Permits Hijacking of Authenticated Credentials

Versions Affected:
OSX 10.4.0
OSX 10.4.1

About Dashboard:
Mac OSX 10.4 includes a feature called Dashboard, which provides an environment for mini-applications, called Widgets, to run. Widgets are commonly freely available for download from a number of trusted and untrusted sources. Users running Apple's native browser, Safari, may have downloaded and installed widgets to their dashboard without even knowing it due to another security flaw.

About the Vulnerability:
Dashboard widgets allow system commands to be executed, which is normally not considered a vulnerability as they run with the user's permissions. If the user has recently authenticated to perform a super-user function, however, Dashboard widgets can hijack these credentials by calling the system's built-in "sudo" command and execute arbitrary functions with full administrative privileges. Because the sudo command trusts users based on username and tty, the widget is never prompted for a sudo password, but immediately authenticated based on the user's previous manual authentication for whatever other task they were performing. Because Dashboard widgets can be modified to run in the background, they can also sit and wait for a user to authenticate, executing malicious commands when this occurs.

Workarounds:
There is presently no workaround available other than to carefully examine new widgets and their source code prior to installation, or to avoid using the Dashboard entirely. Examining code isn't a guarantee, however, as some widgets may contain code in binary form. To prevent the auto-installation of widgets (and the potential malicious applications of this function), disable the "Open Safe Files" checkbox in Safari's General preferences.
 
If you carefully read the first post, this is different, satcomer. This is not about the automatic installing of widgets, rather it's about the user authenticating as administrator somewhere else in the system, and if that authentication is still active (hasn't timed out), and you invoke dashboard, a malicious widget could run commands on the shell as superuser.
In the really worst case, this could mean that an otherwise "good" widget (i.e. one you want to run), checks for sudo-ability in the background whenever dashboard is active, and only if it _can_ run commands as superuser, it might alter/remove/run files that only root/su should be able to run. this _is_ an issue still not solved.
 
jzdziarski said:
If the user has recently authenticated to perform a super-user function, however, Dashboard widgets can hijack these credentials by calling the system's built-in "sudo" command and execute arbitrary functions with full administrative privileges. Because the sudo command trusts users based on username and tty, the widget is never prompted for a sudo password, but immediately authenticated based on the user's previous manual authentication for whatever other task they were performing.
Click to expand...

but does this phrase mean that in order to allow this vulnerability to be exploited I should have authenticated as root, or just as administrator?
 
It appears that if you authenticate anywhere on the system using sudo, the Widget can take advantage of it. This, of course, opens the door for worms, hackers, drones, spyware, and anything else you can think of - whether the widget was auto-installed or not.

Don't feel bad Satcomer, you're not the only one who didn't read the advisory completely - I'm getting bombarded with email from people telling me this has been known about for several days. Makes me wonder if anybody reads anything these days.
 
Here's a workaround suggested by someone on the full disclosure list. Remove the sudo grace period by adding:

Defaults:ALL timestamp_timeout=0

To /etc/sudoers. Why this was not made the default I don't know.
 
jzdziarski said:
I looked around and didn't see any invitation from Apple to report vulnerabilities, so for now I guess I'll post here and leave it to someone with a paid developer's account to tell them.
Click to expand...

Just a point of information. You can submit bugs with the FREE online developer membership, you do not have to pay anything.

mumble... mumble... lies... mumble... damn lies... mumble... and internet FUD...
 
That is something that they should improve. I don't think that sudo should be allowed to execute at all via Dashboard. Having it able to run any command whatsoever isn't really a good idea.

Just imagine some widget that is not sleeping running the command sudo rm -rf / every 2 seconds.

Most of the time it would fail but if you then sudo xxxx something else in Terminal you could wipe out most of your HD in seconds.

This command would have to be hidden behind some real use for the widget but there's nothing stopping someone from making some dancing girl widget with a malicious intent.

In addition I think sudo timeout should be limited to each Terminal session/window and not a global setting.
 
I think part of the problem is that the Dock probably uses the same tty as everything else running in the gui portion of the system. Being part of the dock seems dumb to me, as I'd think everything you launched off the doc would have it as a parent (including widgets).

But why have a grace period at all? Just make users type their password repeatedly. If someone needs to execute _that_ many commands as root, do a 'sudo -s' and get a root shell. I removed my timeout - no more problem.

But yeah, it'd be nice to limit it to one specific application or terminal.
 
This is where I think security is more important than usability. Apple should make the time out default.

Thanks for the tip.
 
Hmm, interesting. But is there some reason that plain old applications can't do the same thing, i.e. was this not possible until the advent of Dashboard?
 
Apps could do the same thing, but widgets I feel are a higher risk, because:

1. Nobody suspects javascript to be able to execute binaries (they were given an interface in widgets)
2. Widgets run in the background for the duration of the user's session
3. The dashboard is generally not visible to the user unless it is specifically activated
4. Users are likely to download and run many widgets simultaneously
5. Widgets, being mini-applications, cater to a much wider class of users
6. To make a good trojan all you have to do is write a few lines of widget code to make it interesting enough to download...and people will blindly download and run it (the cattle theory)
 
Yeah, the risk is definitely higher, but I suppose the potential is about the same. In any case, this will be something to watch out for.
 
Shall I be the one painting the _really_ dark picture? We've always said that the Mac was inherently safe. That Mac viri wouldn't spread like Windows viri, because they couldn't use the Mac's E-Mail applications like they could with Windows, spreading stuff quickly all over the place.

1.) Someone writes a malicious Dashboard widget that looks delicious.
2.) Someone writes a Windows worm/virus combo that spreads all over the net.
3.) The worm starts using the Windows machines and will be sending out millions of E-Mails containing the Dashboard widget.

Windows, in this dark picture, will be a needed part. But it's not like there weren't any Windows machines out there, right?
 
fryke said:
Shall I be the one painting the _really_ dark picture? We've always said that the Mac was inherently safe. That Mac viri wouldn't spread like Windows viri, because they couldn't use the Mac's E-Mail applications like they could with Windows, spreading stuff quickly all over the place.

1.) Someone writes a malicious Dashboard widget that looks delicious.
2.) Someone writes a Windows worm/virus combo that spreads all over the net.
3.) The worm starts using the Windows machines and will be sending out millions of E-Mails containing the Dashboard widget.

Windows, in this dark picture, will be a needed part. But it's not like there weren't any Windows machines out there, right?
Click to expand...

Well, if you have Postfix enabled on your computer, all you need is a short shell script to send mail. Another script can get to your address book to extract the mail addresses.

I don't beleive that this is a great risk though, users running Postfix often know what they're doing, and probably are more paranoid than other users ('nix admins are, it's a prerequisite:D ). Still, a heads up is nice.

I really have mixed feeling about this Dashboard thing. There are a lot of things you can do without sudo in a shell script, and the ability to run them without user intervention in Dashboard can lead to all sorts of trouble.

I hate scaremongering, and we haven't actually seen any really bad stuff being propagated yet. We have however seen convincing proof of concept, like the autoloading (and really annoying) zaptastic*, so I guess a heads up is in place.


*/ Yes, I know. The autoloading hole has been plugged in 10.4.1, but it was rather worrying, and I thought it was worth mentioning.
 
I wouldn't say it was plugged in 10.4.1, at least adequately. Safari now asks you if you want to download the application. It says nothing about running it...so your choice is to either not download it, or download+install it. That seems pretty asinine to me.

I don't think anyone's trying to create a scare tactic; the reason advisories like this exist is to warn people so that there aren't any actual exploits. Something like this, which has a workaround, should be reassuring rather than scary. I think the Apple user scene is just not very used to experiencing many security vulnerabilities, at least as many as windows and *nix users.

My biggest frustration isn't these two holes, but the fact that the dashboard is so well integrated with the operating system. It shouldn't be a part of the dock IMO. There should be a "widgetd" process of some sort running, perhaps even as an unprivileged user like 'nobody'.
 
My comment about scare tactics wasn't directed towards any of the other posts in this thread. This thread is rather balanced and deals with the problem in a sane way. Possibilities explored and explained without exaggerations and unnecessary extrapolations into an abysmal future.

I just wanted to explain that I don't want to scare anyone, but that it might be appropriate to be a little extra careful when selecting widgets to install.

I also agree that the hole isn't totally plugged, but the worst part of it is. A widget can't sneak by you without your knowledge anymore. Another thing they should have done was to make "Open 'safe' files after download" deselected by default. Either that, or don't include .wdgt files in the list of "safe files".
 
You must log in or register to reply here.
Back
Top