Focus on Apple
Mac OS X Dashboard Widget Vulnerabilities? Dec 04 2007 07:21PM
Todd Woodward (todd_woodward symantec com) (1 replies)
Re: Mac OS X Dashboard Widget Vulnerabilities? Dec 05 2007 01:27PM
Don (drhodes mail colgate edu) (2 replies)
Re: Mac OS X Dashboard Widget Vulnerabilities? Dec 05 2007 08:48PM
Derek Chesterfield (dez mac com) (1 replies)
Re: Mac OS X Dashboard Widget Vulnerabilities? Dec 05 2007 11:27PM
Don (drhodes mail colgate edu) (1 replies)
Re: Mac OS X Dashboard Widget Vulnerabilities? Dec 06 2007 09:21PM
Mark Senior (senatorfrog gmail com) (1 replies)
Re: Mac OS X Dashboard Widget Vulnerabilities? Dec 09 2007 10:59PM
Tyrel McMahan (tyrel mcmahan gmail com)
Everyone,
Just in case some of you were wondering how serious this is (myself
included) apparently this has actually got the attention of some
hackers/security specialists in Europe. It will be presented at the CCC
Conference in Germany at the end of December. Here's a URL:

http://log.does-not-exist.org/archives/2007/12/03/2155_json_eval_owning_
the_dashboard.html
http://events.ccc.de/congress/2007/Lightning_Talks (under the title:
Owning Widgets)

I plan on attending the event and reporting about it on my podcast and radio
program: www.SitesCollide.com

I'm curious about this too because I have macs myself. I appreciate any
feedback and any questions you put here I'll be SURE to ask those guy(s) if
for nothing just to get some feedback on what their approach is. I'll keep
you posted.

Regards,
--
Tyrel McMahan

GPG Public Key:
8F0A 70CE EF4D 623D 46CE D93A BFE5 2F5E 5883 EEB7

On Dec 6, 2007 10:21 PM, Mark Senior <senatorfrog (at) gmail (dot) com [email concealed]> wrote:

> It's worth noting that none of the included widgets seems to commit the
> sin that makes this particular attack possible - i.e. to download
> javascript over HTTP, and pass that straight to the javascript parser,
> particularly while running in a sandbox environment that allows file system
> access.
>
> I haven't pored over these widgets looking for subtle vulnerabilities -
> the extent of my research was:
>
> find /Library/Widgets -name Info.plist -print0 | xargs -0 grep Allow
> find /Library/Widgets -name '*.js' -print0 | xargs -0 grep eval
>
> Correlating the two shows that:
>
> - no included widget has the AllowFullAccess sandbox setting
> - only two have AllowFileAccessOutsideOfWidget. Of those two, neither
> contains calls to eval
> - four have AllowInternetPlugins (this might make them an exposure vector
> for QuickTime vulnerabilies, for example).
>
> The vulnerable widgets under discussion are "third party" widgets. I'm
> not exactly sure what is implied by their being linked on Apple's site -
> probably not much.
>
> Regards
> Mark
>
> On Dec 5, 2007 4:27 PM, Don wrote:
>
> > As you and Mark stated the possibility of grabbing control of a widget
> > that
> > is already installed is far more likely to be used, and a good target
> > would
> > be the default weather widget that is on by default.
> >
> > It would be nice if Apple made it easy to turn off dashboard, or even
> > require people to turn it on if they want to use it. This could be said
> > for
> > a few other 'processes'/'features' that are on by default.
> >
> > --
> > Don
> >
> >
> > On 12/5/07 2:48 PM, "Derek Chesterfield" wrote:
> >
> > > Actually, it is worse than that. This is not just a problem because
> > > people download untrusted widgets.
> > >
> > > The real problem is that even a trusted widget can be compromised.
> > > Much like using 'trusted' software like Second Life, then getting
> > > hacked via Quicktime, you could use a 'trusted' widget that accesses
> > > web content. In the case of Twitter, or other Web 2.0 apps, the
> > > content being accessed by the widget could be anything an imaginative
> > > user can come up with. And that could compromise the widget much like
> > > the Quicktime bug compromises Second Life's client software.
> > >
> > > It should be possible to secure the widget by sanity-checking the web
> > > content it retrieves [which Second Life can't do in my not-completely-
> >
> > > comparable comparison, because it is actually Quicktime getting
> > > hacked, not SL].
> > >
> > > On 5 Dec 2007, at 13:27, Don wrote:
> > >
> > >> That does sound bad. It relies on people downloading and installing
> > >> widgets
> > >> from an unknown source, which would probably be the biggest area
> > >> this would
> > >> be exploited; which is much easier than installing a programs since
> > >> it does
> > >> not even ask for a password to install widgets.
> > >>
> > >> Now if someone could take over a widget after it has been installed,
> > >> that
> > >> would be another issue, i.e. the any of the 'default' widgets. That
> > >> would
> > >> greatly increase the seriousness of this threat.
> > >>
> > >> All roads lead back to operating your Mac with an non-administrator
> > >> account.
> > >> If the attack was via hijacking an already installed widget and you
> > >> were
> > >> running under a non-privileged account that should 'protect' the
> > >> system
> > >> somewhat. However if it was through a bad widget that is going to be
> > >> installed only your fingers can truly stop that.
> > >>
> > >> Hopefully I am not too far off base on this.
> > >>
> > >> --
> > >> Don
> > >>
> > >>
> > >> On 12/4/07 1:21 PM, "Todd Woodward" < todd_woodward (at) symantec (dot) com [email concealed]>
> > >> wrote:
> > >>
> > >>> Over on bugtraq, there's an interesting new thread regarding
> > >>> vulnerabilities
> > >>> in Mac OSX widgets.
> > >>>
> > >>> http://www.securityfocus.com/archive/1/484542/30/0/threaded
> > >>> http://www.securityfocus.com/archive/1/484567/30/0/threaded
> > >>>
> > >>> Essentially, widgets can "relax the Dashboard's JavaScript sandbox
> > >>> to enable
> > >>> the widget.system () call, which indeed amounts to the equivalent of
> >
> > >>> system(3);
> > >>> i.e., if an attacker can take over the widget, the attacker can
> > >>> take over the
> > >>> user's account
> > >>> (and, quite often, the system)."
> > >>>
> > >>>
> > >>> Security Response Researcher
> > >>> Focus-Apple Moderator
> > >>>
> > >>> ________________________________________
> > >>> Todd D. Woodward
> > >>> Technical Support Engineer
> > >>> NetBackup Support
> > >>> Symantec Corporation
> > >>> www.symantec.com
> > >>> Springfield, Oregon
> > >>> ________________________________________
> > >>> Office: 541-335-7441
> > >>> ________________________________________
> > >>>
> > >>>
> > >>
> > >>
> > >
> >
> >
> >
Everyone,<br><div>Just in case some of you were wondering how serious this is (myself included) apparently this has actually got the attention of some hackers/security specialists in Europe. It will be presented at the CCC Conference in Germany at the end of December. Here's a URL:
</div><div><br class="webkit-block-placeholder"></div><div><a href="http://log.does-not-exist.org/archives/2007/12/03/2155_json_eval_o
wning_the_dashboard.html">http://log.does-not-exist.org/archives/2007/12
/03/2155_json_eval_owning_the_dashboard.html
</a></div><div><a href="http://events.ccc.de/congress/2007/Lightning_Talks">http://events.
ccc.de/congress/2007/Lightning_Talks</a>   (under the title: Owning Widgets)<br class="webkit-block-placeholder"></div><div><br class="webkit-block-placeholder">
</div><div>I plan on attending the event and reporting about it on my podcast and radio program: <a href="http://www.SitesCollide.com">www.SitesCollide.com</a><br></div><di
v><br class="webkit-block-placeholder"></div><div>
I'm curious about this too because I have macs myself. I appreciate any feedback and any questions you put here I'll be SURE to ask those guy(s) if for nothing just to get some feedback on what their approach is. I'll keep you posted.
</div><div><br class="webkit-block-placeholder"></div><div>Regards,</div><div>-- <
br>Tyrel McMahan<br><br>GPG Public Key:<br>8F0A 70CE EF4D 623D 46CE  D93A BFE5 2F5E 5883 EEB7<br class="webkit-block-placeholder"></div><div>
<br class="webkit-block-placeholder"></div><div><br class="webkit-block-placeholder"></div><div><br><div class="gmail_quote">On Dec 6, 2007 10:21 PM, Mark Senior <<a href="mailto:senatorfrog (at) gmail (dot) com [email concealed]">senatorfrog (at) gmail (dot) com [email concealed]
</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div>It's worth noting that none of the included widgets seems to commit the sin that makes this particular attack possible -
i.e. to download javascript over HTTP, and pass that straight to the javascript parser, particularly while running in a sandbox environment that allows file system access.
</div>
<div> </div>
<div>I haven't pored over these widgets looking for subtle vulnerabilities - the extent of my research was:</div>
<div> </div>
<div>find /Library/Widgets -name Info.plist -print0 | xargs -0 grep Allow</div>
<div>find /Library/Widgets -name '*.js' -print0 | xargs -0 grep eval</div>
<div> </div>
<div>Correlating the two shows that:</div>
<div> </div>
<div>- no included widget has the AllowFullAccess sandbox setting</div>
<div>- only two have  AllowFileAccessOutsideOfWidget.  Of those two, neither contains calls to eval</div>
<div>- four have AllowInternetPlugins (this might make them an exposure vector for QuickTime vulnerabilies, for example).</div>
<div> </div>
<div>The vulnerable widgets under discussion are "third party" widgets.  I'm not exactly sure what is implied by their being linked on Apple's site - probably not much.</div>
<div> </div>
<div>Regards</div><font color="#888888">
<div>Mark</div>
<div> </div>
</font><div class="gmail_quote"><div class="Ih2E3d">On Dec 5, 2007 4:27 PM, Don  wrote:<br>
</div><blockquote class="gmail_quote" style="padding-left:1ex;margin:0px 0px 0px 0.8ex;border-left:#ccc 1px solid"><div class="Ih2E3d">As you and Mark stated the possibility of grabbing control of a widget that<br>is already installed is far more likely to be used, and a good target would
<br>be the default weather widget that is on by default.<br><br>It would be nice if Apple made it easy to turn off dashboard, or even<br>require people to turn it on if they want to use it. This could be said for<br>a few other 'processes'/'features' that are on by default.
<br><br>--<br><font color="#888888">Don<br></font>
</div><div><div></div><div class="Wj3C7c"><div>
<div></div>
<div><br><br>On 12/5/07 2:48 PM, "Derek Chesterfield" wrote:<br><br>> Actually, it is worse than that. This is not just a problem because<br>> people download untrusted widgets.<br>><br>> The real problem is that even a trusted widget can be compromised.
<br>> Much like using 'trusted' software like Second Life, then getting<br>> hacked via Quicktime, you could use a 'trusted' widget that accesses <br>> web content. In the case of Twitter, or other Web
2.0 apps, the<br>> content being accessed by the widget could be anything an imaginative<br>> user can come up with. And that could compromise the widget much like <br>> the Quicktime bug compromises Second Life's client software.
<br>><br>> It should be possible to secure the widget by sanity-checking the web<br>> content it retrieves [which Second Life can't do in my not-completely- <br>> comparable comparison, because it is actually Quicktime getting
<br>> hacked, not SL].<br>><br>> On 5 Dec 2007, at 13:27, Don wrote:<br>><br>>> That does sound bad. It relies on people downloading and installing <br>>> widgets<br>>> from an unknown source, which would probably be the biggest area
<br>>> this would<br>>> be exploited; which is much easier than installing a programs since<br>>> it does<br>>> not even ask for a password to install widgets.<br>>><br>>> Now if someone could take over a widget after it has been installed,
<br>>> that<br>>> would be another issue, i.e. the any of the 'default' widgets. That <br>>> would<br>>> greatly increase the seriousness of this threat.<br>>><br>>> All roads lead back to operating your Mac with an non-administrator
<br>>> account.<br>>> If the attack was via hijacking an already installed widget and you <br>>> were<br>>> running under a non-privileged account that should 'protect' the<br>>> system
<br>>> somewhat. However if it was through a bad widget that is going to be<br>>> installed only your fingers can truly stop that. <br>>><br>>> Hopefully I am not too far off base on this.<br>>>
<br>>> --<br>>> Don<br>>><br>>><br>>> On 12/4/07 1:21 PM, "Todd Woodward" <<a href="mailto:todd_woodward (at) symantec (dot) com [email concealed]" target="_blank"> todd_woodward (at) symantec (dot) com [email concealed]</a>><br>>> wrote:
<br>>><br>>>> Over on bugtraq, there's an interesting new thread regarding<br>>>> vulnerabilities<br>>>> in Mac OSX widgets.<br>>>> <br>>>> <a href="http://www.securityfocus.com/archive/1/484542/30/0/threaded" target="_blank">

http://www.securityfocus.com/archive/1/484542/30/0/threaded</a><br>>&
gt;> <a href="http://www.securityfocus.com/archive/1/484567/30/0/threaded" target="_blank">http://www.securityfocus.com/archive/1/484567/30/0/threa
ded
</a><br>>>><br>>>> Essentially, widgets can "relax the Dashboard's JavaScript sandbox<br>>>> to enable<br>>>> the widget.system () call, which indeed amounts to the equivalent of
<br>>>> system(3);<br>>>> i.e., if an attacker can take over the widget, the attacker can<br>>>> take over the<br>>>> user's account <br>>>> (and, quite often, the system)."
<br>>>><br>>>><br>>>> Security Response Researcher<br>>>> Focus-Apple Moderator<br>>>><br>>>> ________________________________________ <br>>>> Todd D. Woodward
<br>>>> Technical Support Engineer<br>>>> NetBackup Support<br>>>> Symantec Corporation<br>>>> <a href="http://www.symantec.com/" target="_blank">www.symantec.com </a><br>>>> Springfield, Oregon
<br>>>> ________________________________________<br>>>> Office: 541-335-7441<br>>>> ________________________________________<br>>>><br>>>>
<br>>><br>>><br>><br>
<br>
<br></div></div></div></div></blockquote></div></blockquote></div><br></
div>

[ reply ]
Re: Mac OS X Dashboard Widget Vulnerabilities? Dec 05 2007 06:34PM
Mark Senior (senatorfrog gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus